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ABSTRACT 


This  thesis  presents  an  implementation  of  segment 
management  for  the  security  kernel  of  a  secure  archival 
storage  system.  The  basis  for  this  implementation  is  a 
family  of  secure,  distributed,  multi-microprocessor 
operating  systems  designed  to  provide  multilevel  internal 
computer  security  and  controlled  sharing  of  data  among 
authorized  users.  This  implementation  provides  address  space 
management  for  individual  processes,  based  on  segmentation 
as  a  memory  management  scheme.  Non-discretionary  information 
security  is  provided  through  enforcement  of  a  security 
policy  based  on  a  lattice  structure  that  allows  flexibility 
in  representing  different  security  policies?  the  Department 
of  Defense  (DoD)  security  classification  system  is  the 
security  policy  represented  in  this  thesis.  Implementation 
was  completed  on  the  ZILOG  Z8000  microprocessor. 
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I.  INTRODUCTION 


This  thesis  addresses  the  implementation  of  the  segment 
management  functions  of  an  operating  system  known  as  the 
Secure  Archival  Storage  System  or  SASS.  This  system,  with 
full  implementation,  will  provide:  (1)  multilevel  secure 
access  to  information  (files)  stored  in  a  "data  warehouse" 
for  a  network  of  multiple  host  computers,  and  (2)  controlled 
data  sharing  among  authorized  users.  The  correct  performance 
of  both  of  these  features  is  directly  dependent  upon  the 
proper  implementation  of  the  segment  management  functions 
addressed  in  this  thesis.  The  issue  of  access  to  sensitive 
information  is  addressed  by  the  Non-Discretionary  Security 
Module,  which  mediates  all  non-discretionary  access  to 
information.  Sharing  of  information  is  accomplished  chiefly 
through  the  properties  of  segmentation,  the  SASS  memory 
management  scheme  that  is  supported  by  the  Memory  Manager 
Module  and  the  Segment  Manager  Module.  The  implementation  of 
segment  management  for  SASS  is  thus  integral  to  the 
attainment  of  the  two  key  goals  that  SASS  was  designed  to 
achieve.  This  implementation  addresses  the  Non-Discretionary 
Security,  Distributed  Memory  Manager  (the  interface  to  the 
Memory  Manager  Process"),  and  Segment  Manager  modules. 


A.  BACKGROUND 

O'Connell  and  Richardson  provided  the  design  for  a 
family  of  secure,  distributed,  multi-microprocessor 
operating  systems  from  which  the  subset,  SASS,  was  later 
derived  [6].  In  their  work,  two  of  the  primary  motivations 
were  to  provide  a  system  that  (1)  effectively  coordinated 
the  processing  power  of  microprocessors  and  (2)  provided 
information  security. 

The  basis  for  emphasis  on  utilization  of  microprocessors 
is  not  purely  that  of  replacing  software  with  more  powerful 
(and  faster)  hardware  (microprocessors)  but  is  also  an 
economic  issue.  Software  development  and  computing 
operations  are  becoming  more  and  more  expensive,  putting 
further  pressure  on  system  designers  to  increasingly  utilize 
people  solely  for  system  functions  that  computers  cannot 
perform  in  a  cost  effective  manner.  Microcomputers,  on  the 
other  hand,  are  becoming  less  and  less  expensive  and  are, 
therefore,  increasingly  being  used  for  more  functions. 

The  need  for  information  security  has  been  gradually 
recognized  as  the  uses  of  computers  have  expanded.  As 
security  needs  for  specific  computer  systems  have  been 
recognized,  attempts  have  been  made  to  modify  the  existing 
systems  to  provide  the  desired  security.  The  results  have 
been  systems  that  could  not  be  certified  as  secure  and/or 
which  have  failed  to  resist  penetration  efforts,  i.e. 
systems  which,  in  effect,  did  not  provide  adequate 


Information  security.  It  has  become  clear  that,  In  order  to 
be  certlflably  secure,  a  computer  system  must  have  security 
designed  In  from  first  principles  [10,11] .  Such  is  the  case 
with  SASS.  Information  security  was  and  continues  to  be  a 
chief  design  feature.  Integral  to  the  design  goal  of 
information  security  were  two  related  goals.  One  of  these 
goals  was  to  provide  multilevel  controlled  access'  to  a 
consolidated  "warehouse"  of  data  for  a  network  of  multiple 
host  computers.  The  other  key  goal  was  to  provide  for 

controlled  shar'  g  among  the  computer  hosts. 

A  brief  background  of  prior  work  relative  to  SASS 
follows.  O'Connell  and  Richardson  originated  the  design  of  a 
secure  family  of  operating  systems.  Their  design  provided 
two  basic  parts  for  their  system  —  the  supervisor  (to 
provide  operating  system  services)  and  the  kernel  (to 

provide  for  physical  resource  management).  The  design  of  the 
SASS  supervisor  was  completed  by  Parks  [7]  .  No 
implementation  or  further  design  effort  on  the  supervior  has 
followed,  to  date.  The  initial  design  of  the  kernel  was 

completed  by  Coleman  [1] .  That  design  described  the  kernel 
in  terms  of  seven  modules: 

1.  Gate  Keeper  Module  —  provided  for  ring-crossing 
mechanism  and  thus  isolation  of  the  kernel. 

2.  Segment  Manager  Module  —  provided  for  management  of 
segmented  virtual  memory. 

3.  Traffic  Controller  Module  —  multiplexed  processes 
onto  virtual  processors  and  supports  the  inter- 


process  communication  primitives  Block  and  Yakeup. 
Block  and  Yakeup. 

4.  Non-Discretionary  Security  Module  —  mediated 
non-discretionary  security  access  attempts. 

5.  Inner  Traffic  Controller  Module  —  multiplexed 
virtual  processors  onto  real  processors  and 
provided  the  Kernel  synchronization  primitives 
Signal  and  Wait. 

6.  Memory  Manager  Module  —  managed  main  memory  and 
secondary  storage. 

7.  Input-Output  Manager  —  managed  the  moving  of 
information  to  external  devices  outside  the 
boundaries  of  the  SASS. 

Refinement  of  the  kernel  design  and  partial  implementation 
was  completed  by  Gary  and  Moore  [4]  in  conjunction  with 
Reitz  [9].  The  resultant  description  of  the  kernel  as  a 
result  of  their  work  was: 


1.  Gate  Keeper  Module 

2.  Segment  Manager  Module 

3.  Event  Manager  Module  —  worked  with  the 
Traffic  Controller  to  manage  the  "event 
data"  associated  with  the  IPC  mechanism 
of  eventcounts  and  sequencers. 

4.  Non-Discretionary  Security  Module 

5.  Traffic  Controller  Module  —  replaced 
Block  and  Yakeup  with  Advance  and  Await 
(to  implement  Supervisor  IPC  mechanism  of 
eventcounts  and  sequencers). 

6.  Memory  Manager  Module 

7.  Inner  Traffic  Controller  Module 


Reitz  implemented  the  Traffic  Controller  Module  and  Inner 
Traffic  Controller  Module.  Gary  and  Moore  completed  a 
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detailed  design  of  the  Memory  Manager,  originated  the  Memory 
Manager  code  (written  predominantly  in  PLZ/SYS),  selected  a 
thread  of  the  code,  hand  compiled  it  into  PLZ/ASM  and  ran  it 
on  the  ZS000  developmental  module. 

The  design  and  implementation  works  mentioned  above 
provided  the  design  base  for  this  implementation. 
Refinements  were  made  as  needed  and  are  discussed  in 
Appendix  G  of  this  thesis.  A  broader  description  of  the 
current  state  of  SASS  will  be  provided  in  the  next  section. 

B.  SECURE  ARCHIVAL  STORAGE  SYSTEM  OVERVIEW 

This  section  presents  a  brief  summary  of  the  current 
design  state  of  the  Secure  Archival  Storage  System.  The 
purpose  of  this  summary  is  to  provide  continuity  (interface) 
between  this  and  previous  work  relative  to  SASS,  and  to 
enhance  understanding  of  the  evolution  of  the  more  detailed 
and  system  specific  information  provided  later  in  this 
thesis. 

1.  Levels  of  Abstraction 

The  original  design  for  a  family  of  secure, 
distributed  operating  systems  (which  was  the  basis  for  the 
development  of  SASS)  used  effectively  the  concept  of  levels 
of  abstraction  as  a  design  methodology  tool.  Just  as  this 
tool  allows  for  clarity  and  simplification  in 
conceptualizing  and  designing  a  system,  it  also  enhances  the 

i 

ability  to  clearly  and  succinctly  describe  that  system's 
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design.  Thus,  aa  abstract  system  overview  (description)  of 
SASS  will  he  presented  here.  Figure  l  represents  that 
overview  (illustrated  for  a  single  host  system  for  clarity). 
There  are  four  levels  of  abstraction: 

Level  3  —  the  Host  computer  systems 
Level  2  —  the  Supervisor 
Level  1  —  the  Kernel 
Level  0  —  the  Hardware 

The  Gate  Keeper  Module  is  logically  the  boundary  between  the 
Supervisor  and  the  Kernel  and  thus  will  not  be  discussed 
within  either  of  these  levels,  but  rather  separately. 

2.  Level  Three  -  Host  Computer(s) 

Level  three  consists  of  the  Host  computer  systems. 
There  may  be  a  variable  number  of  host  computers  of  any  type 
(e.g.,  micro,  mini,  etc).  Each  host  may  be  used  to  create 
and  manipulate  files  of  a  fixed,  predetermined  degree  of 
sensitivity  (or  security  classification).  Once  a  user  of  a 
host  computer  system  completes  work  on  a  particular  file, 
they  can  permanently  store  that  file  on  the  SASS  (and,  of 
course,  may  later  again  access  the  same  file  by  requesting 
the  SASS  to  provide  it  to  them).  Each  host  computer  system 
is  individually  wired  to  an  I/O  port  of  the  Z8001.  Each  of 
the  ports  has  fixed  access  level. 
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If  a  multilevel  secure  Host  desires  to  handle  data 
at  two  levels  (e.g.,  secret  and  unclassified),  it  will  use 
two  connections  to  the  SASS.  Physical  and/or  cryptographic 
protection  of  the  hardwire  connections  is  assumed. 

3.  Level  Two  -  Supervisor 

Level  two  is  the  Supervisor.  A  proper  description  of 
the  Supervisor  is  "that  component  of  the  SASS  that  executes 
in  the  outer,  less  privileged  domain  (normal  mode)  of  the 
Z8001  microprocessor,  and  is  responsible  for  the  SASS  -  Host 
computer  interface”.  Integral  to  this  description  (and  the 
Kernel's  description)  is  the  concept  of  a  "domain”,  that  can 
he  described  using  four  other  terms  that  also  need  to  be 
defined:  ’’process",  "address  space",  "segment",  and 
"segmentation”.  Padnick  and  Donovan  [5]  define  a  process  as 
the  locus  of  points  of  a  processor  executing  a  collection  of 
programs?  the  collection  of  programs  and  data  that  are 
accessed  in  a  process  forms  that  process's  address  space.  A 
segment  is  defined  as  a  logical  grouping  of  information, 
such  as  a  subroutine,  array,  or  data  area,  and  segmentation 
is  defined  as  the  technique  for  managing  segments  of  an 
address  space.  It  is  convenient  then,  since  the  SASS  uses 
segmentation  as  a  memory  management  scheme,  to  more 
specifically  define  a  SASS  process  address  space  as  the 
collection  of  segments  that  are  accessed  (or  are  accessible) 
in  that  process.  A  domain  is  conceptualized  in  SASS  due  to 
the  necessity  to  Isolate  the  Kernel  from  all  possible 


17 


outside  influences.  To  achieve  this,  a  process'  address 
space  is  divided  into  a  hierarchial  arrangement  of  segment 
accessibility ,  viz.,  a  set  of  hierarchial  protection  domains 
called  protection  rings.  In  SASS,  there  are  two  domains 
implemented  (and  necessary  as  a  minimum):  the  Supervisor 
domain  and  the  Kernel  domain.  The  Z8001  microprocessor 
provides  the  SASS  with  two  execution  modes  that,  along  with 
Kernel  software.  Implement  these  domains:  a  system  (Kernel) 
mode  that  provides  access  to  all  segments  (and  machine 
instructions),  and  a  normal  (Supervisor)  mode  that  provides 
access  to  a  subset  of  the  segments  (and  machine 
instructions).  Thus,  the  Supervisor  operates  in  the  outer  or 
less  privileged  domain. 

The  Supervisor  contains  those  segments  of  the  system 
that  are  necessary  to  perform  the  SASS  -  Host  computer 
system  interface  (construct  and  manage  a  file  hierarchy  and 
control  I/O  between  the  SASS  -  Host).  It  is  built  upon  the 
Kernel  and  performs  the  Host's  requests  by  calls  to  the 
Kernel  (the  calls  are  validated  by  the  Gate  Keeper  prior  to 
invocation  of  Kernel  functions).  Two  surrogate  processes. 
Input/output  (I/O)  and  file  management  (FM),  are  assigned  to 
each  Host  computer  system  at  system  generation.  The  FM 
process  directs  all  Interaction  between  the  SASS  and  a  Host 
computer  system.  Specific  functions  include  the  management 
of  the  Host's  file  hierarchy  (using  the  FM  Known  Segment 
Table  (FM_KST)  as  a  database)  and  discretionary  security 
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access  management  (checkin*  and  maintaining  an  Access 
Control  list  (ACI)  for  each  file  within  the  file  hierarchy). 
Controlling  discretionary  security  with  an  ACL  allows 
authorized  users  to  specify  who  may  use  segments  (files) 
within  the  confines  of  the  non-discreti onary  security 
policy.  Discretionary  security  will  he  defined  and  discussed 
in  more  detail  in  chapter  II. 

The  I/O  process  acts  in  a  slave  mode  to  the  JM 
process  and  is  responsible  for  all  input/output  between  the 
Supervisor  and  the  host  computer  systems.  Data  is 
transferred  between  the  Host  and  the  SASS  via  fixed  size 
"packets”  (a  grouping  of  data  in  a  specified  format).  To 
transmit  and  receive  packets  between  the  Host  and  the  SASS  a 
"protocol"  (or  formal  passing  method)  must  exist  between 
them.  The  I/O  process  is  responsible  for  the  SASS-Host 
protocol  (Parks  [7]  designed  a  multi-packet  protocol).  Parks 
provides  a  detailed  description  of  the  Supervisor  as  it  was 
originally  designed. 

4.  Gate  Keeper  Module 

The  Gate  Keeper  is  a  software  ring-crossing 
mechanism  that  provides  for  the  isolation  of  the  Kernel 
(viz.,  making  the  Kernel  procedures  tamperproof).  The  notion 
of  a  "ring-crossing"  mechanism  is  an  extension  of  the 
previous  discussion  of  domains  since  "protection  rings"  is 
simply  another  term  for  hierarchial  domains  (such  as  the 
SASS  arrangement  of  the  Kernel  and  the  Supervisor).  All 
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calls  to  the  distributed  kernel  and  IPC  with  the  Memory 
Manager  must  pass  through  the  Gate  Keeper  (viz..  It  is  the 
sole  entry  point  into  the  Kernel  from  the  Supervisor).  The 
Gate  Keeper  is  a  trap  handler?  when  invoked  hy  the 
supervisor  domain  of  a  process,  it  must  save  the  supervisor 
domain  registers  and  stack  pointer.  The  argument  list 
provided  hy  the  supervisor  domain's  call  (included  in  this 
list  must  be  the  identity  of  the  kernel  domain  function 
(procedure)  being  called)  is  validated  and,  if  correct, 
results  in  invocation  of  the  appropriate  procedure.  Hardware 
preempt  interrupts  ere  masked  upon  entry  into  the  Kernel. 

When  returning  (exiting  the  Kernel)  the  following  actions 
occur:  (1)  software  virtual  preempt  interrupts  are  unmasked 
(if  a  virtual  preempt  interrupt  has  occurred,  the  Traffic 
Controller's  virtual  interrupt  handler  is  called  vice  the 
Kernel  being  exited),  (2)  hardware  interrupts  are  unmasked, 

(3)  the  return  arguments  are  passed  to  the  Supervisor,  and 

(4)  the  Supervisor  domain  stack  pointer  and  registers  are 
restored,  returning  the  execution  point  to  the  Supervisor 
domain.  An  error  code  is  returned  and  the  Kernel  is  not 
invoked  when  an  invalid  call  is  encountered  by  the  Gate 
Keeper.  The  database  of  the  Gate  Keeper  is  the  Parameter 
Table.  This  table  contains  an  entry  for  each  permitted 
kernel  function  (e.g.,  Create_Segment,  Delete_Segment ,  etc.) 
and  is  used  to  validate  the  correctness  of  the  range  (size) 

of  the  parameters  passed.  \ 
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5.  Level  One  -  Kernel 

Level  one  is  the  Security  Kernel  (or  Kernel).  The 
Security  Kernel  in  the  inner  or  most  privileged  domain 
(system  mode  of  the  Z8001)  and  is  responsible  for  managing 
the  real  resources  of  the  hardware  system  (viz.,  memory, 
microprocessor,  external  devices,  and  input/output  ports), 
and  for  enforcing  the  non-discretionary  security  policy  for 
the  SASS.  The  Kernel  is  divided  into  two  major  components. 
The  first  is  the  distributed  kernel,  i.e.,  the  modules  in 
the  Kernel  whose  segments  are  placed  in  (or  distributed  in) 
the  address  spaces  of  each  Supervisor  process?  the 
distributed  kernel  consists  of  the  Gate  Keeper  (already 
discussed),  the  Segment  Manager,  the  Event  Manager,  the 
Traffic  Controller,  and  the  Inner  Traffic  Controller.  The 
second  component  is  the  non-distributed  kernel  and  consists 
of  the  asynchronous  memory  manager  process  (which  is 
contained  entirely  within  the  Kernel  address  space).  There 

is  a  memory  manager  process  for  each  hardware  processor  in 

_  < 

the  SASS.  The  following  section  will  identify  and  briefly 
describe  each  of  the  Kernel's  distributed  and 
non-distributed  system  components, 
a.  Segment  Manager 

The  Segment  Manager  (the  focal  point  of  this 
thesis)  is  a  component  of  the  distributed  kernel?  its 
function  is  the  creation  and  management  of  a  segmented 
virtual  memory  for  the  process.  Actual  memory  management 
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functions  are  completed  via  calls  for  IPC  to  the  Memory 
Manager  process.  Calls  to  (viz.,  entries  into)  the  Segment 
Manager  are  received  via  the  Gate  Keeper  from  the 
Supervisor.  These  entries  (viz.,  extended  instructions)  are: 

1.  Create_Segment  —  add  a  new  segment  to  the  SASS. 

2.  Delete_Segment  —  remove  a  segment  from  the  SASS. 

3.  Make_Known  —  add  a  segment  to  a  process'  address 
space. 

4.  Terminate  —  remove  a  segment  from  a  process' 
address  space. 

5.  SM_Swap_In  —  move  a  segment  from  secondary 
storage  to  main  memory. 

6.  SM_Swap_Out  —  move  a  segment  from  main  memory 
to  secondary  storage. 

The  process  local  database  used  by  the  Segment  Manager  is 
the  Known  Segment  Table  (KST).  The  KST  contains  entries  for 
all  segments  in  the  address  space  of  that  process.  The 
Segment  Manager  will  be  described  in  more  detail  in  chapters 
II  and  III. 

b.  Non-Discretionary  Security  Module 

The  Non-Discretionary  Security  (NES)  Module  is  a 
component  of  the  distributed  kernel;  its  function  is  the 
enforcement  of  the  non-discretionary  security  policy  in 
effect  in  the  SASS.  Although  the  implementation  presented  in 
this  thesis  reflects  the  DoD  non-discretionary  security 
policy,  any  security  policy  that  can  be  represented  by  a 
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lattice  structure  may  be  similarly  implemented.  To  implement 
a  different  policy  (e.g.,  Privacy  Act  or  a  local  policy) 
requires  only  replacement  of  the  Non-Discretionary  Security 
Module  {viz.,  the  modules  calling  it  can  he  left  intact  with 
no  changes  required  to  them).  The  NDS  Module  creates  the 
extended  instruction  set  CLASS_EQ  and  CLASS_GE.  The 
Non-Discretionary  Security  Module  and  the  information 
security  concepts  which  form  its  basis  will  he  discussed  in 
more  detail  in  chapters  II  and  III. 
c.  Event  Manager 

The  Event  Manager  is  a  component  of  the 
distributed  kernel*  it  is  invoked  by  the  Supervisor 
processes  via  the  Gate  Keeper.  This  module's  function  is  to 
manage  event  data.  Event  data  is  associated  with  a  global 
object  (called  an  eventcount).  An  eventcount  is  a  count  of 
the  number  of  events  (e.g.,  the  number  of  read  or  write 

accesses,  of  a  segment)  that  have  occurred  so  far  in  the 

execution  of  a  system.  In  SASS,  as  a  naming  convention,  each 
Supervisor  segment  has  two  eventcounts  associated  with  it. 
These  eventcounts  (Instancel  and  Instance2)  are  stored  in  a 
Memory  Manager  database.  The  Event  Manager  creates  the 
extended  instruction  set  READ  and  TICKET*  they  are  based  on 
the  mechanism  of  eventcounts  and  sequencers  (used  for  the 

synchronization  of  concurrent  processes).  READ  is  a  call 

that  returns  the  current  value  of  the  eventcount.  TICKET, 
using  a  nondecreasing  integer  called  a  sequencer  (also 
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associated  with  each  Supervisor  segment),  provides  a 

complete  time  ordering  of  possibly  concurrent  events.  Each 
invocation  of  the  function  TICKET  increments  the  value  of 
the  sequencer  and  returns  it  to  the  caller.  The 

eventcounts/sequencer  synchronization  mechanism  is  described 
in  detail  by  Reed  and  Kanodia  [8]  while  an  excellent 
abridged  discussion  is  presented  by  Gary  and  Moore  [4]  . 
d.  Traffic  Controller 

The  Traffic  Controller  (TC^  is  a  component  of 
the  distributed  kernel;  it  is  responsible  for  multiplexing 
processes  onto  virtual  processors.  A  virtual  processor  is  a 
data  structure  that  contains  a  complete  description  of  a 
process  in  execution  on  a  physical  processor  at  a  given 
instant.  A  "complete  description”  is  defined  to  consist  of 
the  execution  point  or  current  CPU  state  and  the  address 
space  (set  of  segments  accessible  by  that  process)  of  the 
process  in  execution.  The  Traffic  Controller  also  creates 
the  extended  instructions  ADVANCE  and  AWAIT  which  are  used 
to  implement  eventcounts  and  sequencers,  the  inter-process 
communication  (IRC)  mechanism  invoked  by  the  Supervisor,  and 
the  extended  instruction  PROCESS_CLASS .  PROCESS_CLASS  is 
invoked  by  the  Segment  Manager  and  returns  the  label 
(classification)  of  the  current  process.  The  Traffic 
Controller  is  half  of  a  two  level  traffic  controller;  the 
other  half  is  the  Inner  Traffic  Controller,  which 
multiplexes  the  virtual  processors  onto  physical  processors. 


24 


The  database  for  the  Traffic  Controller  is  the  Active 


Process  Table  (APT),  a  filed  size,  system  wide  database, 
that  contains  a  permanent  entry  for  each  Supervisor  process 
created  at  system  generation  (in  the  SASS  the  processes  are 
then  active  for  the  life  of  the  system).  The  APT  structure 
is  shown  in  figure  2.  The  scheduling  algorithms  and  a 
detailed  discussion  of  the  current  state  of  the  Traffic 
Controller  are  provided  by  Reitz  [9]  . 

e.  Inner  Traffic  Controller 

The  Inner  Traffic  Controller  (ITC)  is  a 
component  of  the  distributed  kernel;  it  is  the  other  half  of 
the  two  level  traffic  controller  and  its  function  is  to 
multiplex  (temporarily  bind)  virtual  processors  (VP)  to  the 
real  processors  of  the  system?  a  design  choice  was  made  to 
provide  each  system  CPU  with  a  small  fixed  set  of  virtual 
processors.  Two  of  the  VP's  are  the  Memory  Manager  VP  and 
the  Idle  VP  (the  latter  is  permanently  bound  to  the  lowest 
priority  virtual  processor  and  is  scheduled  by  the  ITC  only 
when  there  is  no  useful  work  for  the  CPU) .  The  remaining 
VP's  have  Supervisor  processes  temporarily  bound  on  them  by 
the  Traffic  Controller.  Another  function  of  the  ITC  is  to 
furnish  inter-process  services  for  VP's  in  the  kernel  ring. 
This  is  done  by  providing  the  primitives  SIGNAL  and  WAIT, 
that  are  used  by  processes  in  the  Kernel  ring  to  communicate 
with  other  Kernel  ring  processes. 
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This  is  the  mechanism  used  within  the  Kernel  to  provide 
multiprogramming  (process  switching).  The  ITC  Module  creates 
the  extended  instruction  set:  SIGNAL,  WAIT,  SWAPJTDBB,  IDLE, 
SET_PREEMPT,  TEST_PREEMPT,  and  RUNNING_VP.  The  functions  of 
SIGNAL  and  WAIT  have  been  discussed  already.  SWAP_VDBB 
provides  the  TC  with  a  means  to  schedule  processes  on  the 
currently  running  VP.  IDLE  loads  an  "idle”  process  on  the 
currently  running  VP.  SET_PREEMPT  sets  the  virtual  preempt 
interrupt  flag  on  a  specified  VP  (specified  by  the  TC ) . 
TEST_PREEMPT  provides  the  virtual  preempt  unmasking 
mechanism  that  is  executed  each  time  a  process  tries  to  move 
from  the  Kernel  to  the  Supervisor  domain.  The  database  used 
by  the  Inner  Traffic  Controller  is  the  Virtual  Processor 
Table  (VPT).  There  is  one  system  wide  table  with  entries  for 
each  physical  processor  in  the  system.  The  VPT  for  a  single 
processor  system  (such  as  SASS)  is  shown  in  figure  4.  The 
scheduling  algorithms  and  a  detailed  discussion  of  the 
current  state  of  the  Inner  Traffic  Controller  are  provided 
by  ReltzT9] . 

f.  Memory  Manager 

The  Memory  Manager  Module  is  the  only  component 
in  the  non-distributed  kernel.  There  is  a  Memory  Manager 
process  dedicated  to  each  physical  processor  (CPU)  in  the 
system. 
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The  Memory  Manager  is  responsible  for  managing 
the  real  memory  resources  of  the  system,  viz.,  local  and 
global  main  memory  and  secondary  storage.  The  memory  manager 
manages  the  local  and  global  memory  in  such  a  way  as  to 
control  bus  contention  in  the  multi-microprocessor 
environment.  Thus,  each  CPU  has  its  own  local  memory  to 
store  process  local  segments  and  there  is  a  global  memory  to 
which  every  CPU  has  access  and  in  which  shared,  writeable 
segments  must  be  stored.  This  requirement  is  to  ensure  that 
a  current  copy  is  always  accessed  for  a  shared,  writeable 
segment.  To  keep  bus  contention  between  processors  that 
access  global  memory  to  a  minimum,  whenever  possible  (viz., 
in  all  cases  but  shared,  writeable  segments)  segments  are  to 
be  stored  in  local  memory.  The  Memory  Manager  has  several 
databases,  primary  of  which  are  the  system  wide  Global 
Active  Segment  Table  (G_AST)  and  the  per  processor  local 
Active  Segment  Table  (I_AST).  A  more  detailed  description  of 
the  Memory  Manager  Module  is  presented  in  chapters  II  and 
III. 

6.  Level  Zero  -  Hardware 

The  Z8001  microprocessor,  Z8010  Memory  Management 
Unit  (MMU),  local  and  global  memories,  and  secondary  storage 
form  the  SASS'  basic  hardware  group.  Since  the  design  calls 
for  SASS  to  exist  in  a  multi-microprocessor  environment, 
there  will  be  multiple  copies  of  some  elements  of  the  group, 
e.g.»CPU,  local  memory.  The  Z8001  microprocessor  is  a 
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register  oriented  machine  that  has  sixteen  16-hit  general 
purpose  registers.  When  operated  with  the  MMU ,  the  desired 
capabilities  of  memory  segmentation,  multiple  domains,  and 
process  switching  are  realized.  The  MMU  consists  of  a  set  of 
registers  (64)  to  implement  the  descriptor  list  (or 
descriptor  segment);  viz.,  each  register  contains  the 
descriptor  (containing  the  attributes)  of  a  particular 
segment.  Zilog  [14]  provides  a  detailed  description  of  the 
Z8001  microprocessor  and  Zilog  [15]  describes  the  Ze010  MMU . 

C.  STRUCTURE  0?  THE  THESIS 

This  thesis  describes  the  implementation  of  the  segment 
management  functions  for  the  SASS.  The  design  "base"  evolved 
from  the  original  secure  family  of  operating  systems 
identified  and  designed  by  O'Connell  and  Richardson.  A  block 
structured  language,  PLZ/STS,  was  used  in  this  and  previous 
design  efforts,  while  implementation  was  completed  using 
PLZ/ASM  assembly  code.  PLZ/STS  is  described  by  Snook  [12] 
and  Conway  [2]  while  PLZ/ASM  is  described  by  Zilog  [13] .  A 
compiler  for  PLZ/STS  to  PLZ/ASM  code  translation  was  not 
available.  As  a  result,  implementation  included  the  added 
step  of  manual  translation  of  PLZ/STS  code  to  PLZ/ASM  code 
to  facilitate  testing  and  debugging. 

In  this  chapter  an  introduction  to  SASS  was  provided 
through  discussion  of  its  background  and  an  overview  of  the 
entire  system.  A  summary  of  the  extended  instruction  sets 


created  by  the  Kernel  components  and  a  summary  of  the  Kernel 
databases  is  presented  in  figures  4  and  5. 

Chapter  II  of  this  thesis  will  present  a  description  of 
the  segment  management  functions  in  SASS.  Discussion  of  the 
theory  behind  information  security  and  its  implications  to 
SASS  is  also  provided.  The  modules  encompassed  by  segment 
management  will  be  discussed  in  terms  of  their  design, 
functional  purpose,  and  database  descriptions. 

Chapter  III  presents  the  implementation  of  segment 
management  (viz.,  the  segment  manager,  non-discretionary 
security,  and  distributed  memory  manager  modules). 
Description  of  design  and  implementation  criteria,  and 
choices  made  during  implementation  are  discussed  in  this 
chapter. 

Chapter  IV  provides  the  conclusions  reached,  status  of 
research,  and  recommendations  relative  to  continuation  and 
extension  of  the  work. 

Appendices  Include  PLZ/ASM  code  for  the  modules,  the 
program  listings  for  the  Segment  Manager  demonstration  and  a 
summary  of  the  refinements  made  to  previous  design/code 
relative  to  SASS. 
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Figure  5.  Kernel  Catalases 


II.  SEGMENT  MANAGEMENT  FUNCTIONS 


A  conceptual  discussion  of  the  functions  associated  with 
segment  management  is  presented  in  this  chapter.  As 
previously  mentioned,  two  dominating  goals  of  SASS  were  to 
provide  multilevel  controlled  access  to  information  and  to 
provide  for  controlled  sharing  of  Information.  The  major 
factor  in  controlled  access  (which,  in  effect,  refers  to 
information  security)  and  in  information  sharing  is  the 
concept  of  segmentation.  Segmentation,  data  sharing,  and 
information  security  will  he  discussed  relative  to  their 
value  to  SASS. 


A.  BASIC  CONCEPTS/DISCUSSION 
1.  Segmentation 


Segmentation  has  previously  been  defined  as  the 
technique  for  managing  segments  of  an  address  space  where  a 
segment  is  defined  to  he  a  logical  grouping  of  information 


which  possesses  the  qualities  of  having  uniform  attributes, 
being  logical  (vice  physical),  being  visible  to  the  user  and 
being  arbitrary  in  size.  Based  upon  this  notion,  a  process' 
address  space  is  then  viewed  as  consisting  of  the  collection 
of  segments  that  the  process  may  access.  In  a  segmented 
environment  all  addresses  require  two  components:  (1)  a 
segment  specifier  (number)  and  (2)  the  location  (offset) 
within  the  segment.  Each  segment  may  have  attached  to  it 


logical  attributes  that  enable  certain  important  control 
features  to  be  implemented.  Controlled  access  and 
information  sharing  implementation  is  specifically 
facilitated.  By  including  classification  and  access 
information  in  a  segment's  logical  attributes,  a  method  to 
enforce  information  security  is  provided.  Segmentation 
supports  information  sharing  since  it  allows  a  segment  to 
belong  to  more  than  one  address  space,  that  is,  a  single 
physical  copy  may  be  accessed  by  more  than  one  process. 
Controlled  physical  sharing  of  information  (within  access 
constraints)  is  achieved,  in  the  case  of  SASS,  by  putting 
segments  which  are  shared  and  writeable  into  the  system's 
global  memory  (vice  a  copy  in  each  local  memory). 

Segmentation  also  facilitates  the  implementation  of 
multiple  protection  domains  in  SASS.  A  process'  address 
space  is  divided  into  domains  or  arrangements  of  segment 
accessibility.  The  Kernel  domain  is  the  most  privileged  and 
includes  all  segments  of  the  address  space,  while  the 
supervisor  domain  is  less  privileged  and  excludes  segments 
representing  the  management  of  the  shared  resources  by  more 
than  one  process. 

2.  Data  Sharing 

The  facility  to  share  a  single  segment  (and  thus  a 
single  copy  of  the  information  to  be  accessed)  by  many 
processes  is  a  significant  feature  that  is  facilitated  via 
segmentation.  In  short,  by  processes  sharing  a  common 
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physical  copy  of  a  segment,  there  is  no  requirement  for 
duplicate  copies  and  thus  no  possibility  exists  of  having 
copies  that  are  not  up  to  date.  In  SASS,  given  the  global 
memory/local  memories  environment,  the  policy  is  to  put 
copies  of  segments  in  local  memory  except  in  the  case  of 
shared  and  writeable  segments,  which  are  placed  in  global 
memory  for  sharing  purposes  among  processes  with  the 
appropriate  access. 

Segmentation  is  vital  to  this  policy  since  only 
through  explicit  segmentation  can  SASS  know  the  read/write 
properties  of  the  information.  Thus,  segments  which  are 
shared  but  have  read  only  access  (by  all  processes  that  may 
access  it)  are  not  put  into  global  memory  but  rather  into 
the  local  memory  of  each  of  the  processes  that  may  access  it 
(viz.,  multiple  copies  exist).  There  is  no  possibility  of 
the  multiple  copy/  out  of  date  copy  problem  since  only  read 
access  is  allowed.  However,  this  is  a  seeming  waste  of 
memory  and  nonuse  of  the  sharing  facility  provided  by 
segmentation.  The  justification  is  based  on  a  design 
decision  motivated  by  another  goal  of  SASS  —  reduction  of 
bus  contention  among  processors  accessing  global  memory. 
This  Is  considered  to  be  of  more  importance  than  the  saving 
of  memory  space  offered  by  single  copy  sharing  of 
information;  as  stated  before,  the  cost  of  memory  has  gone 
down  significantly  in  the  last  few  years  thus  reducing  its 
Influence  on  decisions  such  as  this. 
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3 .  Information  Security 

Information  security  in  a  computer  environment  only 
recently  began  to  receive  the  attention  that  it  deserves. 
Few  people  have  been  far  sighted  enough  to  view  computer 
security  in  an  analogous  manner  to  communications  security 
(an  area  which  has  received  considerable  military  and 
commercial  attention  throughout  history,  especially  since 
the  advent  of  electronic  communications).  Only  through  harsh 
and  embarrassing  lessons  has  the  importance  of  computer 
security  being  recognized.  The  range  of  problems  encountered 
covers  virtual  every  level  of  computer  usage:  banks  and 
commercial  enterprises  are  victims  of  theft  through  the 
felonious  use  of  computers?  universities  are  the  victims  of 
undesired  users  entering  their  systems  and  either 
maliciously  or  accidentally  destroying  valuable  programs? 
and  the  military  faces  the  real  possibility  that  classified 
material  is  being  accessed  by  foreign  agents  without  our 
knowledge  and/or  crucial  systems  are  being  tampered  with 
without  our  knowledge.  The  effects  of  these  type  actions  may 
be  as  small  as  simple  embarassment  or  as  serious  as 
undermined  military  preparedness.  It  should  be  clear  that 
information  security  is  a  serious  issue.  Definitively,  this 
thesis  will  consider  Information  security  as  the  process  of 
providing  controlled  access  to  information  based  on  proper 
authorization.  A  pertinent  Information  security  goal  is  to 
provide  a  "multilevel"  information  security  environment 
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(that  is,  an  environment  where  multiple  levels  of  sensitive 
information  and  user  accessibility  to  that  information  exist 
together  in  a  manner  such  that  security  is  not  compromised). 
The  key  to  achieving  computer  security  lies  with  the  concept 
of  the  "security  kernel".  A  discussion  of  this  concept  and 
some  supporting  definitions  is  provided  in  the  next  section, 
a.  Basic  Security  Principles 

The  protection  of  secure  information  in  computer 
systems  is  affected  through  two  types  of  control:  (1) 
external  controls  —  where  physical  means  are  used  to 
securely  isolate  the  computer  system  (e.g.,  an  armed  guard) 
and  (2)  internal  controls  —  where  the  computer  itself 
provides  protection  by  distinguishing  information  security 
levels  and  user  accesibilities .  Although  the  discussion  in 
this  thesis  centers  around  internal  controls,  external 
controls  are  also  a  viable  and  important  aspect  of  the  SASS 
(and  other  computer  system's)  information  security.  As 
previously  stated,  the  key  (or  answer)  to  computer  security 
lies  in  the  security  kernel  concept.  Schell  [11]  provides  a 
detailed  development  of  the  theory  behind  this  concept.  The 
security  kernel  is  defined  as  that  part  of  the  computer 
system's  hardware  and  software  which  enforces  the  authorized 
access  relationships  between  the  user/process  (subject)  and 
the  accessed  information  (segment  or  object). 

An  important  aspect  to  the  development  of  a 
secure  kernel  based  system  is  the  security  policy  to  be 
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enforced.  There  are  two  distinct  aspects  of  security  policy. 
The  first  is  the  non-discretionary  (mandatory)  policy  that 
eiternally  constrains  what  access  is  permissable?  this 
policy  is  manifested  and  implemented  in  an  arrangement  where 
information  in  the  form  of  a  segment  (called  an  "object" )  is 
labelled  as  to  its  sensitivity?  the  same  is  done  with  the 
party  requesting  access  (the  user/process,  called  a 
"subject”).  The  relationship  between  the  subject  and  object 
"labels”  that  leads  to  an  access  permission  or  denial  is 
defined  by  a  lattice  structure  [3]  .  This  lattice  structure 
concept  will  be  discussed  in  the  neit  section.  The  second 
aspect  of  security  policy  is  the  discretionary  policy,  which 
is  a  refinement  within  the  non-discretionary  constraints.  It 
is  emphasized  that  discretionary  security  is  contained 
within  (and  in  no  way  substitutes  for)  non-discretionary 
security.  An  example  is  the  "need  to  know"  policy  of  the 
DoD.  Implementation  of  the  discretionary  security  policy  for 
SASS  is  accomplished  in  the  Supervisor  through  the 
maintenance  of  an  Access  Control  List  (ACL)  for  each  file  in 
the  file  hierarchy.  Each  access  attempt  to  a  file  is  checked 
against  the  ACL  and  access  is  granted  In  accordance  with 
that  check  and  the  non-discretionary  security  check 
(whichever  granted  the  least  access).  This  allows  the  users 
to  specify  (subject  to  non-discretionary  security 
constraints)  who  may  access  their  files.  Since  the 
implementation  of  the  discretionary  security  policy  is  not  a 
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part  of  this  thesis,  a  detailed  discussion  is  not  provided. 
Parks  [7]  provides  a  discretionary  security  policy  design 
for  SASS. 

Implementation  of  a  security  policy  requires  an 
awareness  of  and  consideration  for  several  basic  security 
properties  which  are  briefly  defined  below. 

The  Simple  Security  Condition  restricts  a 
subject's  read  access  to  objects  whose  classification  is 
equal  to  or  less  than  than  the  subject's  classification  (the 
term  classification  will  hereafter  be  used  to  indicate  a 
degree  of  sensitivity  or  security  importance). 

The  Confinement  Property  (or  "’“‘-property*  ) 
restricts  a  subject's  write  access  to  objects  whose 
classification  is  equal  to  or  greater  than  the  subject's 
classification.  This  property  prevents  a  subject  from 
writing  to  an  object  of  lower  classification  where  another 
subject  (of  less  than  the  original  subject's  classification) 
would  have  potential  access  thus  violating  security. 

The  Compatibility  property  has  as  a  basis  the 
hierarchial  structure  of  the  objects  (segments)  of  SASS.  The 
objects  of  SASS  are  hierarchially  organized  in  a  tree 
structure.  The  structure  consists  of  nodes,  leaves,  and  a 
root  from  which  the  tree  emlnates.  A  node  (an  alias  table 
that  contains  a  list  of  attributes  for  segments)  is  directly 
associated  with  a  segment  that  is  the  "mentor"  for  one  or 
more  segments.  A  leaf,  viz.,  a  segment, 


is  not  an  alias 


table  but  may  be  a  mentor  segment  (with  the  same  access 
class  as  the  alias  table).  The  Compatibility  property 
basically  states  that  the  object  access  classification  must 
be  non-decreasing  in  moving  from  the  root  down  the  hierarchy 
(viz.,  the  access  classification  of  a  child  must  be  greater 
than  or  equal  to  its  parent). 

b.  Lattice  Model  Abstraction 

A  lattice  model  of  secure  information  flow 
concept  (discussed  by  Denning  [3] )  permits  concise 
formulations  of  the  security  requirements  of  different 
systems  and  facilitates  the  construction  of  mechanisms  that 
enforce  security.  Specifically,  the  relationship  between 
classifications  can  be  represented  by  a  partially  ordered 
lattice  structure  (examples  illustrating  this  concept  are 
presented  in  the  next  section).  Authorizations  for  access 
(or  decisions  on  compatibllty)  then  ajje  based  on  this 
lattice.  With  the  properties  previously  discussed  as  a 
basis,  the  accesses  permitted  are  defined  below  ("sac"  is 
the  abbreviation  for  "subject  access  classification"  and 
"oac"  for  "object  access  classification"  and  ”!"  denotes 
"not  related"): 


1. 

2. 

3. 

4. 


sac  *  oac, 
sac  >  oac, 
sac  <  oac, 
sac  !  oac. 


read/write  permitted 
read  permitted 
write  permitted 
no  access  permitted 
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Case  3  represents  a  subject's  ability  to  "write 
up",  which  is  a  capability  not  supported  in  SASS;  thus  for 
SASS,  case  3  is  more  accurately  represented  as: 

3.  sac  <  oac,  no  access  permitted 
At  this  point,  no  design  detail  has  been  provided  for  the 
representation  of  a  classif ication  or  for  defining  how  two 
classifications  are  compared  and  determined  to  be  "equal", 
"greater  than",  "less  than",  or  "unrelated”  (viz.,  what  does 
sac>oac  mean?).  The  next  section  will  illustrate  these  ideas 
both  generally  and  by  examples, 
c.  Examples 

Based  on  military  influence,  the  examples 
provided  are  reflective  of  a  subset  of  the  DoD 
non-discretionary  security  policy.  A  classification  (or 
label)  is  defined  to  have  two  parts:  (1)  a  level  (e.g.,  top 
secret,  secret,  confidential,  or  unclassified  in  the 
example)  and  a  category  (e.g.  Crypto  (Cy),  Nato  (N),  Nuclear 
(Nu),  or  empty  (%)  in  the  example).  In  the  actual 
implementation  (chapter  III),  provisions  will  be  made  for 
eight  levels  and  sixteen  categories.  (In  some  reference 
texts,  levels  are  called  categories  and  categories  are 
called  compartments).  The  levels  are  defined  by  a  "totally 
ordered"  relationship  where  all  levels  are  related: 

Top  Secret  >  Secret  >  Confidential  >  Unclassified 

or 

TS  >  S  >  C  >  U 
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The  categories  are  defined  as  "disjoint"  (no  relationship 
exists  when  comparing  individual  categories  with  other 
Individual  categories).  The  classifications  (labels)  (  the 
concatenation  of  level  with  category)  then  are  defined  to 
have  a  "partially  ordered”  relationship  since  some  but  not 
all  classifications  are  related.  The  cases  to  be  illustrated 
will  be  illustrated  through  a  general  case  and  then  by 
specific  examples.  The  general  structure  is  defined  by: 
Subject's  classification  =  (IS,  {CS}) 

Object's  classification  *  (LO,  {CO}) 
where : 

LS  =  Subject's  level 
{CS}  »  Subject's  set  of  categories 
LO  »  Object 's  level 
{CO}  =  Object's  set  of  categories 
The  non-inclusive  set  of  partially  ordered  examples  will  be 
chosen  from  a  subset  of  the  classifications  derivable  from 
the  set  of  totally  ordered  levels  and  the  set  of  disjoint 
categories : 

{TS,S,C,(J}  and  {Cy,N,Nu,%} 

Case  I  :  Equal  (sac  =oac) 

General  -  LS  =  LO  and  {CS}  *  {CO} 

Examples  -  (TS,{Cy,N})  =  (TS,{Cy,N}) 

-  (U,  {Cy}  )  =  (U  ,{Cy}  ) 

Access  -  Read/Write 
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Case  II:  Greater  than  {sac  >  oac) 


(1)  General  -  LS  >  10  and  {CO}  subset  to  { C S } 
Examples  -  (S,{N, Nu}  )  >  (C,{N}  ) 

-  (S,{N,Nu}  )  >  (U,{%>  ) 

(2)  General  -  LS  >  LO  and  (CS>  =  {CO} 

Examples  -  ( TS , {%}  )  >  (S , {%}  ) 

-  (S,  {Nu,N})  >  (U,{Nu,N}  ) 

(3)  General  -  IS  *  LO  and  {CO}  proper  subset  to  { C S } 
Examples  -  (G,  {Nu}  )  >  (U,{%}  ) 

( TS  ,{Cy  ,N  ,Nu}  )  >  (TS , {Cy}  ) 

Access  -  Read 

Case  III:  Less  than  (sac  <  oac) 

(1)  General  -  LS  <  LO  and  {C S >  subset  to  {CO} 
Examples  -  (S,  {%}  )  <  (TS,{N}  ) 

-  (U,  {N.Nu})  <  (C,  {Cy,NfNu}) 

(2)  General  -  LS  <  LO  and  {CS}  »  {CO} 

Examples  -  (S,  {%}  )  <  ( TS , {%}  ) 

-  (U,  {N , Nu }  )  <  (C,  {N ,  Nu}  ) 

(3)  General  -  LS  *  LO  and  {CS}  proper  subset  to  {CO} 
Examples  -  (U,  {%}  )  <  (U,  {N}  ) 

-  (C,  {N,Cy})  <  (C,{N ,Nu,Cy}) 

Access  *  no  access  (in  SASS ) 

»  Write  (In  principle) 

Case  17  :  Unrelated  (sac  !  oac) 

(1)  General  -  LS  <t>,or  =  LO  and  {CS}  !  {CO} 
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Examples  -  (S,  {N}  )  j  (C,  {Nu}  ) 

-  (C,  {Nu}  )  !  (S,  {N  }  ) 

-  (TS  ,{N}  )  |  ( TS , {Cy}  ) 

(2)  General  -  IS  >  10  and  { CS}  proper  subset  to  {CO} 
Examples  -  (TS,{X}  )  !  (S,  {N}  ) 

-  (C,  { N , Nu } )  !  (U,{N,Nu,Cy}) 
Explanation  -  there  is  a  contradiction  between 

the  relationship  of  the  levels  and 
the  relationship  of  the  categories. 
Since  this  contradiction  is 
unresolvable ,  the  classification 
relationship  must  be  "unrelated". 

(3)  General  -  IS  <  LO  and  { CO}  proper  subset  to  {CS} 
Examples  -  (S,  {N,Nu}  )  {  (TS,  {N}) 

-  (U,  {Cy}  >  !  (C.  {%}) 

Explanation  -  same  as  above 
Access  =  No  access 
d.  Applications  to  the  SASS 

The  cases  above  are  designed  to  identify  each 
possible  relationship  that  exists  between  two  labels.  In  the 
SASS,  it  is  necessary  only  to  identify  cases  I  and  II  (label 
1  >=  label  2),  while  lumping  the  other  cases  into  a  single 

case  which  represents  "no  access".  This  arrangement 
encompasses  enforcement  of  the  Confinement  Property,  Simple 
Security  Condition,  and  the  Compatibility  property. 
Enforcement  must  occur  on  every  access  attempt  of  an  object. 
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A  discussion  of  the  implementation  of  non-discretionary 
security  policy  is  provided  in  the  next  chapter. 


B.  SEGMENT  MANAGES 
1 .  Function 

The  Segment  Manager  is  the  focal  point  of  the 
segment  management  function.  Using  the  per-process  Known 
Segment  Table  as  its  database  and  the  Memory  Manager  and 
Non-Discretionary  Security  Module  in  strongly  supportive 
roles,  it  is  responsible  for  managing  the  segmented  virtual 
memory  for  a  process.  Its  role  can  be  viewed  as  somewhat 
intermediary  in  nature  (viz.,  between  the  Supervisor  modules 
and  the  Memory  Manager  modules).  The  extended  instruction 
set  created  in  the  Segment  Manager  includes  the  following 
instructions:  CHEATE_SEGMENT,  DELETE_SEGMENT,  MAKE_KNOWN , 
TERMINATE  ,  SM_SWAP_IN,  and  SM_SWAP_OUT  (note  that  the  names 
for  SWAP_IN  and  S¥AP_OUT  have  been  modified  by  preceding 
each  with  SM_;  this  is  strictly  for  clarity  because  the 
Memory  Manager  also  creates  two  instructions  called  SWAP_IN 
and  SVAP_OUT).  These  Instructions  are  invoiced  by  the 
Supervisor  domain  of  the  process  (viz.,  calls  are  made  from 
the  Supervisor  domain  via  the  Gatekeeper  to  the  Segment 
Manager  in  the  Kernel  domain)  to  provide  SASS  support  to  the 
Host. 

In  general,  when  the  Segment  Manager  receives  these 
calls,  it  performs  certain  checks  to  ensure  the  validity  and 
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security  compliance  (when  required)  of  the  request  (call). 
These  checks  are  performed  using  its  own  database  (the  KST) 
and  by  calls  to  the  Non-Discretionary  Security  Nodule  (when 
required).  The  Segment  Manager  invokes  one  of  six  Memory 
Manager  (more  specifically,  the  Distributed  Memory  Manager 
Module)  created  instructions.  These  instructions  include: 

mm_cheats_entpy,  mm_delete_entry,  mm_activate, 

MM_DEACTIVATE,  MM_SWAP_IN,  and  MM_SWAP_OUT.  These  invoked 
instructions  (procedures)  in  turn  perform  interprocess 
communciations  with  the  non-distributed  memory  manager 
process  (where  actual  memory  management  functions  are 
accomplished).  These  interprocess  invocations  and  returns 
are  accomplished  through  the  use  of  the  IPC  primitives 
Signal  and  Wait.  The  Segment  Manager  returns  the  required 
arguments  to  the  Supervisor  by  value  (as  passed  back  to  it 
by  the  Memory  Manager  and/or  determined  within  itself).  The 
Segment  Manager  performs  actual  segment  number  assignment 
when  a  segment  is  made  known  to  a  process'  address  space.  It 
also  performs  any  further  database  (KST)  updating  as  may  be 
required.  A  more  detailed  description  of  the  specifics  of 
the  actions  of  the  Segment  Manager  will  be  provided  in  the 
implementation  described  in  Chapter  III. 


2.  Database 

The  Known  Segment  Table  (KST)  is  the  database  used 
to  manage  segments.  The  KST  is  described  in  its  tabular  form 
and  PLZ/S^S  structured  representation  in  figure  6.  There  are 
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several  basic  and  pertinent  facts  to  be  noted  of  the  KST: 

1.  It  is  a  process  local  database;  that  is,  each  process 
has  its  own  KST. 

2.  The  KST  is  indexed  by  segment  number;  each  record 
of  the  KST  consists  of  a  set  of  fields  (description 
information)  regarding  a  particular  segment. 

3.  Entering  information  into  the  fields  of  a  segment 
is  called  "making  a  segment  known".  This  simply 
refers  to  adding  a  segment  to  a  process'  address 
space  (viz.,  making  a  segment  accessible  to  a 
process). 

4.  In  SASS,  a  correspondence  exists  between  making  a 
segment  "known"  and  making  a  segment  "active";  i.e., 
when  a  segment  is  added  to  the  address  space  of 

a  process,  this  action  results  in  an  entry  in  the 
KST  (making  "known")  by  the  Segment  Manager  and  an 
entry  in  the  Global  Active  Segment  Table  (G_AST) 
by  the  Memory  Manager  process  (making  it  "active" ). 
The  G_AST  will  be  described  later  in  this  chapter. 

A  proper  description  of  the  structure  and  fields  of  the  KST 
is  necessary  at  this  point.  Using  the  representation  of  the 
PIZ/STS  language  structure,  the  KST  is  described  as  an  array 
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of  records  of  fields  of  varying  types.  The  fields  are 
described  separately  below.  Although  the  1ST  index  is  not  in 
itself  a  field  in  the  recoru,  it  does  perform  a  rather 
significant  role.  The  KST  index  is  an  integer  closely 
related  to  the  segment  number  of  the  segment  described  in 
that  KST  entry  (viz.,  it  is  the  subscript  into  the  array  of 
records).  This  segment  number  also  corresponds  to  the  MMU 
descriptor  register  (number)  for  that  segment. 

The  MM_Handle  is  the  first  field  in  a  KST  record. 
The  MM_Eandle  is  a  system  wide  unique  number  that  is 
assigned  to  each  segment  with  an  entry  in  the  G_AST  (viz., 
every  active  segment).  This  "handle”  is  the  instrument  of 
controlled  single  copy  sharing  of  information  (segments).  It 
allows  a  segment  to  exist  under  one  unique  handle  but  be 
accessible  in  the  address  space  of  more  than  one  process 
(with  different  segment  numbers  in  each  address  space).  The 
MM_Bandle  is  returned  to  the  Segment  Manager  by  the  Memory 
Manager  during  the  execution  of  the  Make_Known  instruction. 

The  Size  field  is  an  integer  value  (of  language 
structure  type  "word”)  which  represents  the  number  of  256 
byte  blocks  composing  a  segment. 

The'  Access_Mode  £ield is  used  to  describe  the 
process'  access  to  the  segment  (i.e.,  null  or  read  and/or 
wri  te ) . 
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The  In_Core  field  is  used  to  indicate  if  the  segment 
is  or  is  not  in  main  memory  (i.e.,  this  field  is  a  flag  or 
true/false  boolean  switch). 

The  Class  field  is  a  long  word  field  used  to 
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represent  the  degree  of  information  sensitivity  (viz., 
access  class)  assigned  to  the  segment.  This  field  (for 
example)  would  he  used  to  numerically  describe  a 
classification  label  (as  described  above). 

The  Kentor_Seg_Nr  field  is  a  number  representing  the 
segment  number  of  a  segment's  parent  or  "mentor"  segment. 
Its  importance  will  discussed  shortly. 

The  3ntry_Nr  field  is  a  number  representing  a 
segment's  index  number  into  its  parent  or  mentor  segment's 
Alias  Table  (not  yet  discussed). 

The  Alias  Table  is  a  Memory  Manager  database  and 
will  be  described  later.  The  aliasing  scheme  provided  via 
the  alias  tables  is  used  to  prevent  passing  system  wide 
information  out  of  the  Kernel  (i.e.,  the  Unique_IE  of  a 
segment).  The  "alias"  of  a  segment  is  the  concatenation  of 
the  Mentor_Seg_Nr  with  the  segment's  Entry_Nr  (index)  into 
the  mentor  segment's  Allas  Table.  It  is  clear  that  the  last 
two  fields  of  a  KST  record  are  the  "alias"  of  that  segment. 
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c.  non-discretionary  security  module 

The  key  in  protection  of  secure  information  using 
internal  controls  was  identified  as  the  security  kernel 
concept.  The  basic  idea  within  this  concept  is  to  prove  the 
hardware  part  of  the  Kernel  correct  and,  similarly,  to  keep 
the  software  part  small  enough  so  that  proving  it  correct  is 
feasible.  A  central  component  of  the  kernel  software  is  the 
Non-Discretionary  Security  Module  (hereafter  referred  to  as 
the  NDS  Module).  The  NTS  Module  is  concerned  only  with  the 
non-discretionary  aspect  of  the  security  policy  in  effect; 
since  the  discretionary  aspect  is  subservient  in  nature  to 
the  non-discretionary  aspect,  it  is  then  sufficient  that  the 
Kernel  contain  only  the  software  representing  the 
non-discretionary  aspect  of  the  security  policy.  The 
discretionary  security  is  provided  outside  the  kernel  in  the 
SASS  supervisor.  Every  attempt  to  access  information  must 
result  in  an  Invocation  of  the  NDS  Module. 

The  function  of  the  NDS  Module  is  to  compare  two 
classifications  (viz.,  compare  two  labels),  make  a  decision 
as  to  their  relationship  (i.e.,  =,>,<,!),  and  return  a 
true/false  Interpretive  answer  relative  to  the  query  of  the 
calling  procedure.  The  mechanism  used  as  a  basis  is  the 
lattice  model  abstraction  previously  discussed.  The  NTS 
Module  does  not  require  a  database  since  the  labels  it 
compares  are  stored  in  (passed  from)  other  Kernel  databases. 


D.  MEMORY  MANAGER 


1 .  Function 

The  Memory  Manager  process  is  the  only  component  of 
the  non-dis tributed  kernel.  It  is  responsible  for  managing 
the  real  memory  resources  of  the  system  —  main  (local  and 
global)  memory  and  secondary  storage.  It  is  tasked  by  other 
processes  within  the  Kernel  domain  (via  Signal  and  Wait)  to 
perform  memory  management  functions.  This  thesis  will 
address  the  Memory  Manager  in  terms  of  two  components:  (1) 
the  Memory  Manager  Process  (also  called  the  nondistributed 
kernel  and  the  Memory  Manager  Module),  and  (2)  the 
distributed  Memory  Manager  (also  called  the  Distributed 
Memory  Manager  Module).  The  former  is  the  "true"  memory 
manager  while  the  latter  is  the  interface  with  other 
processes,  that  is,  it  resolves  the  issue  of  interprocess 
communication  with  the  "true"  memory  manager. 

The  Distributed  Memory  Manager  Module  creates  the 
following  extended  instruction  set:  MM_CREATE_ENTRY , 
MM_DELETE_ENTRY,  MM_ACT IT  ATE ,  MM_DEACTIVATE,  MM_SWAP_IN,  and 
MM  SWAP_OUT.  The  instructions  form  the  mechanism  of 
communication  between  the  Segment  Manager  of  a  process  and  a 
memory  manager  process  (where  the  actual  memory  management 
functions  are  performed).  The  Memory  Manager  Process 
instruction  set  corresponds  one  to  one  with  that  of  the 
Distributed  Memory  Manager?  the  set  consists  of: 
CREATE  ENTRT ,  DELETE  ENTRY,  ACTIVATE,  DEACTIVATE,  SWAP  IN, 
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and  S¥AP_OUT.  The  basic  functions  performed  by  the  Memory 
manager  are  allocation/deallocation  of  global  and  local 
memory  and  of  secondary  storage,  and  segment  transfers  from 
local  to  global  memory  (and  vice-versa)  and  from  secondary 
storage  to  main  memory  (and  vice-versa). 

2 .  Databases 

A  detailed  and  descriptive  discussion  of  the  Memory 
Manager  databases  is  presented  in  the  work  of  Gary  and  Moore 
[4]  and  the  reader  may  refer  to  it  for  memory  manager 
database  details.  This  thesis  addresses  the  implementation 
of  the  distributed  Memory  Manager  but  not  the  Memory  Manager 
Process,  thus  brief  descriptions  are  provided  of  the 
latter's  databases. 

The  Global  Active  Segment  Table  ( G_AST)  is  a  system 
wide  (i.e.,  shared  by  all  memory  manager  processes)  database 
used  to  manage  all  active  segments.  A  lock/unlock  mechanism 
is  used  to  prevent  race  conditions  from  occurring.  The 
distributed  memory  manager  of  the  signalling  process  locks 
the  G_AST  before  it  signals  the  memory  manager  process. 

The  Local  Active  Segment  Table  (L_AST)  is  a 
processor  local  database  which  contains  an  entry  for  each 
segment  active  in  a  process  currently  loaded  in  local 
memory . 

The  Allas  Table  is  a  system  wide  database  associated 
with  each  nonleaf  segment  in  the  Kernel.  It  is  a  product  of 
the  aliasing  scheme  used  to  prevent  passing  system  wide 
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information  out  of  the  Kernel.  The  alias  table  header 
(provided  for  file  system  reconstruction  after  system 
crashes)  has  two  pointers,  one  linking  the  alias  table  to 
its  associated  segment,  the  other  linking  the  alias  table  to 
the  mentor  segment's  alias  table.  The  fields  in  the  alias 
table  are  Unique_IE,  Size,  Class,  Page_Table_Loc  ,  and 
Alias_Table_Loc .  The  index  into  the  alias  table  is  Entry_No. 

The  Memory  Management  Unit  Image  (MMU_Image,  figure 
7)  is  a  processor  local  database  indexed  by  DBF._No  (vi2., 
for  each  DBR_No  there  is  a  MMU_Image  record,  with  each 
record  containing  a  software  image  of  the  segment  descriptor 
registers  of  the  hardware  MMU ) .  The  MMU_Image  is  an  exact 
image  of  the  MMU.  Each  record  is  Indexed  by  Segment_No 
(segment  number)  and  each  Segment_No  entry  contains  three 
fields.  The  Base_Addr  field  contains  the  segment's  base 
address  in  memory.  The  Limit  field  contains  the  number  of 
blocks  of  contiguous  storage  for  the  segment  (zero  indicates 
one  block).  The  Attributes  field  contains  8  flags  including 
5  which  relate  to  the  memory  manager.  The  Elks_Used  field 
and  the  Max_31ks  (available)  fields  are  per  record  (not  per 
segment  entry)  and  are  used  in  the  management  cf  each 
process'  virtual  core. 

The  Memory  Bit  Maps  (Disk_Bi t_Map, 
Global_Memory_Bit_Map,  and  local_Memory_Bi t_Map)  are  memory 
block  usage  maps  that  use  true/false  flags  (bits)  to 
indicate  the  use  or  availability  of  storage  blocks. 
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The  only  database  in  the  Distributed  Memory  Manager 
is  the  Memory  Manager  CPU  Table.  It  is  an  array  of  memory 
manager  ?P_ID's  (MM_7P_ID)  indexed  by  CPU  number.  This  table 
enables  a  signalling  process  to  identify  the  appropriate 
memory  manager  process  (virtual  processor)  to  signal. 

E.  SUMMARY 

The  segment  management  functions  and  key  related 
concepts  (such  as  segmentation)  were  discussed  in  this 
chapter.  The  importance  of  segmentation  to  data  sharing  and 
information  security  was  emphasized  as  were  key  information 
security  concepts.  With  this  background,  the  implementation 
of  segment  management  and  a  non-discretionary  security 
policy  will  be  described  in  Chapter  III. 
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Figure  B..  Memory  vanager-CPU  Table 


III.  SEGMENT  MANAGEMENT , IMPLEMENTATION 


The  implementation  of  segment  management  functions  and  a 
non-discretionary  security  policy  is  presented  in  this 
chapter.  Paramount  to  this  implementation  were  several  key 
issues  that  affected  the  implementation.  These  issues  are 
discussed  first.  The  implementation  is  discussed  in  terms  of 
the  Segment  Manager,  Non-Di scret ionary  Security  (NTS),  and 
Distributed  Memory  Manager  modules. 

A.  IMPLEMENTATION  ISSUES 

Segment  management  for  the  SASS  was  provided  through  the 
implementation  of  the  Segment  Manager  Module,  the  NDS 
Module,  and  the  Distributed  Memory  Manager  Module. 
Additionally,  since  a  demonstration/testbed  was  integral  to 
the  testing  and  verification  of  the  implementation,  it  was 
necessary  to  complete  other  supportive  tasks.  Reitz  [9] 
provided  a  demonstration  of  the  operation  of  the  Inner 
Traffic  Controller  primitives  SIGNAL  and  WAIT  (for 
interprocess  communication).  Integral  to  this  demonstration 
was  the  correct  performance  of  the  Inner  Traffic  Controller 
VP  scheduling  mechanism  and  a  ''stub"  of  the  Traffic 
Controller  and  its  process  scheduling  mechanism  (the  TC 
support  and  use  of  the  mechanism  of  eventcounts  and 
sequencers  was  not  a  part  of  the  demonstration).  The  Segment 
management  demonstration  (hereafter  referred  to  as 
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Seg_tfgr.Demo  )  was  "built  on  top  of"  Reitz'  ITC 
synchronization  primitive  demonstration  (hereafter  referred 
to  as  "Sync.  Demo").  Thus,  an  immediate  issue  was  to  resolve 
the  feasibility  of  adding  on  to  Sync. Demo  and  also  to  refine 
the  present  design  of  the  Sync.  Demo  to  facilitate  its 
integration  into  the  Seg_M*r .Demo .  One  aspect  of  this  effort 
was  in  resolving  the  problem  of  how  to  pass  (i.e.,  in 
interprocess  communication)  a  larger  message. 

1.  Interprocess  Messages 


The  Sync. Demo  passed  "word"  (16  bit)  messages.  To 
provide  the  mechanism  for  the  distributed  memory  manager  to 
signal  the  memory  manager  process  with  a  command  function 
identification  code  and  the  arguments  needed  to  perform  that 
function  (e.g.,  CREATE-ENTR?  and  its  input  arguments),  a 
message  size  of  at  least  eight  words  (16  bytes)  was 
necessary.  An  obvious  answer  was  to  signal  with  an  array  of 
eieht  words  as  the  message.  PLZ/SYS,  however,  does  not  allow 
passing  arrays  in  its  procedure  calls  (a  procedure  call  is 
analogous  to  a  subroutine  call).  Another  alternative  was  to 


signal  with  a  pointer  to  the  array  of  words,  since  PLZ/STS 
does  allow  passing  pointers  in  procedure  calls  (thus  the 
message  would  be  a  pointer  to  the  real  message).  This, 
however,  would  be  invalid  in  the  segmented  implementation 
(on  the  T8000  segmented  microprocessor)  since  identical 


segment  numbers  in  different  processes  may  not  refer  to 
identical  segments.  For  example,  a  pointer  in  a  process 
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(e.g.,  file  management)  points  to  an  array  (i.e.,  provides 
its  address)  by  segment  number  and  offset;  passing  this 
pointer  to  another  process  ( e.g . ,  memory  manager)  would 
provide  this  same  segment  number  and  offset  which,  of 
course,  may  be  a  different  object  in  the  second  process's 
address  space). 

Another  alternative  considered  was  that  of  a  shared 
"Mailbox"  segment  with  an  associated  eventcount  acted  on  by 
the  Kernel  Inner  Traffic  Controller  primitives 
TICKET, ADVANCE  and  AWAIT.  A  design  for  using  this  concept  in 
the  supervisor  ring  is  provided  by  Parks  [7]  .  This 
alternative  was  not  deeply  considered  since  these  primitives 
are  not  included  in  the  current  Inner  Traffic  Controller. 

The  method  ultimately  used  to  signal  the  new  length 
messages  is  based  on  the  fact  that  the  ITC  is  in  both  the 
signalling  and  the  receiving  (memory  manager)  processes' 
address  space.  The  message  is  loaded  into  an  array  in 
process  #1  and  a  pointer  to  the  array  is  passed  in  the  call 
SIGNAL;  the  7PT,  the  ITC's  database,  is  then  updated  by 
(using  the  pointer)  putting  the  message  into  its  MSC-_Q 
section.  The  message  is  retrieved  by  process  #2  by  execution 
of  Reitz'  WAIT  primitive  with  only  one  refinement.  That 
refinement  Is  for  the  "waiting"  process  to  provide  as  an 
argument  (in  the  WAIT  primitive)  a  pointer  to  its  own 
message  array  so  that  the  message  in  the  VPT  can  be  copied 
to  it. 
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This  refinement  provides  for  passing  a  lone  message 
essentially  "by  value"  between  processes. 

2.  Structures  as  Arguments 

Another  issue  concerned  the  use  of  pointers  in  the 
implementation  of  segment  management.  This  necessary  "evil" 
is  a  result  of  the  need  to  pass  linguistically  "complex" 
data  types  in  procedure  calls.  Complex  types  refer  to  array 
and  record  structures  in  PLZ/SYS  (as  opposed  to  the  "simple" 
types — byte,  word,  integer,  short-integer,  long,  and 
pointer).  In  managing  databases  (e.g.,  AST,  G_AST)  which 
consist  of  arrays  of  records  (which  in  turn  contain  records 
and/or  arrays),  it  was  frequently  necessary  to  reference 
data  as  an  array  or  record.  Within  a  process,  the  use  of 
pointers  was  not  a  problem  (i.e.»  not  a  problem  such  as 
would  be  encountered  in  IPC  passing  of  pointers). 

3.  Reentrant  Code 

The  issue  of  code  reentrancy  was  addressed  at  the 
assembly  language  level  through  the  use  of  a  stack  segment 
and  registers  for  storage  of  local  variables.  PLZ/SIS  (high 
level  language)  does  not  address  reentrant  procedures  and 
thus  the  segment  management  high  level  code  is  not 
automatically  reentrant.  The  problem  of  reentrancy  can  he 
seen  by  looking  at  a  shared  procedure  that  is  not  reentrant; 
such  a  procedure  has  storage  for  its  variables  allocated 
statically  in  memory.  Suppose  a  procedure  (e.g.,  in  the 
Kernel)  can  be  activated  by  more  than  one  process.  While  the 
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procedure  is  executing  in  one  process,  a  process  switch 
occurs  (e.«..  to  wait  for  a  disk  transfer)  and  its  execution 
is  suspended.  The  second  process  is  activated,  and  while  it 
is  running  it  invokes  the  procedure.  While  the  procedure  is 
executing  for  the  second  process  it  uses  the  same  storage 
space  for  variables  as  it  did  when  executing  for  the  first 
process.  Eventually,  it  relinquishes  the  processor.  However, 
when  the  procedure  resumes  its  execution  for  the  first 
process,  the  variable  values  that  were  in  use  by  it 
originally  have  been  changed  during  its  execution  in  the 
second  process.  Thus,  incorrect  results  are  now  inevitable. 

4.  Process  Structure  of  the  Memory  Manager 

References  to  the  "Memory  Manager"  in  past  works 

have  generally  meant  the  memory  manager  process 
( nan-distributed  kernel).  This  work  references  two  distinct 
components  of  the  "memory  manager  module".  The  Distributed 
Memory  Manager  is  an  interface  provided  to  the  Memory 
Manager  Process.  It  is,  in  fact,  distributed  in  the  address 
space  of  each  Supervisor  process.  In  contrast,  the  Memory 
Manager  Process  clearly  is  not  distributed  and  its  address 
space  is  contained  entirely  in  the  Kernel. 

5.  Per-Process  Known  Segment  Table 

Another  key  issue  was  that  of  the  per  process 
Segment  Manager  database,  the  KST.  Since  each  process  has 
its  own  KST,  it  cannot  be  linked  to  the  (shared)  segment 
manager  procedures.  To  implement  the  KST  as  a  per  process 
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database.  It  was  convenient  to  establish,  by  convention,  a 
EST  segment  number  that  is  consistent  from  process  to 
process.  That  segment  in  each  process  is  the  EST  segment  for 
that  process.  Implementation  is  then  accomplished  by  using 
the  segment  number  to  construct  a  pointer  to  the  base  of  the 
appropriate  KST.  It  is  then  easy  to  calculate  an  appropriate 
offset  to  index  any  desired  entry  in  the  KST  data. 

6 .  DBR  Handle 

In  Reitz's  implementation  of  the  multilevel 
scheduler  and  the  IPC  primitives,  references  to  "DBR” 
(descriptor  base  register)  are  references  to  an  address. 
That  address  value  represents  a  pointer  to  an  MMU_IMAGE 
record  containing  the  list  of  descriptors  for  segments  in 
the  process  address  space.  Gary  and  Moore  [4]  reference  a 
”DBR_NO”  that  is  essentially  a  handle  used  within  the  memory 
manager  as  an  index  within  the  MMU-_  IMAGE  to  a  particular  MMU 
record.  The  base  address  of  the  MMU  record  indexed  by  DB?._N0 
is  then  equivalent  to  the  concept  of  DBR  value  used  in 
Reitz'  work.  The  effect  of  this  inconsistency  on  the  segment 
management  implementation  was  minor  and  will  be  further 
discussed  later  in  this  chapter. 

B.  SEGMENT  MANAGER  MODULE 

The  Segment  Manager  Module  consists  of  six  procedures 
representing  the  six  extended  instiactions  it  provides. 
These  are  based  on  the  design  of  Coleman  [1] .  Only  calls 
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from  external  to  the  Kernel  (via  the  Gate  Keeper)  may  he 
made  to  the  Segment  Manager  (per  the  loop-free  structure  of 
the  SASS).  The  normal  sequence  of  invocation  of  the  Segment 
Manager  functions  to  allow  referencing  a  segment  is:  (1) 
CREATE_SEGMENT — allocate  secondary  storage  for  the  segment 
and  update  the  mentor  segment's  Alias  Table,  (2) 
MAKE_KNOWN — add  the  segment  to  the  process  address  space 
(segment  number  is  assigned),  (3)  SWAP_IN — move  the  segment 
from  secondary  storage  into  the  process's  main  memory.  The 
normal  sequence  of  invocation  to  "undo"  the  above  is:  (1) 
SWAP_0UT — move  the  segment  from  main  memory  to  secondary 
storage,  (2)  TERMINATE — remove  the  segment  from  the 
process's  address  space,  (3)  DELSTE_SEGMENT — deallocate 
secondary  storage  and  remove  the  appropriate  entry  from  the 
alias  table  of  its-  mentor  segment.  The  six  Supervisor 
entries  into  the  Segment  Manager  (viz.,  the  six  extended 
instructions)  will  be  discussed  individually  below.  The 
PIZ/STS  and  PLZ/ASM  listings  for  the  Segment  Manager  are  in 
appendices  A  and  B. 

1 .  Create  a  Segment 

The  function  that  creates  a  segment  (i.e.,  adds  a 
new  segment  to  the  SASS)  is  CREATE_SEGMENT .  This  function 
validates  the  correctness  of  the  Supervisor  call  by  checkin* 
the  parameters  and  making  certain  security  checks.  The 
distributed  memory  manager  is  then  called  to  accomplish 
interprocess  communication  with  the  Memory  Manager  Process, 
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where  segment  creation  is  realized  through  secondary  storage 
allocation  and  alias  table  updating. 

CREATE_SEGMENT  is  passed  as  arguments:  (l) 
Mentor_Seg_No — the  segment  number  of  the  mentor  segment  of 
the  segment  to  be  created,  (2)  Entry_No — the  desired  entry- 
number  in  the  alias  table  of  the  mentor  segment,  (3) 
Class — the  access  class  (label)  of  the  segment  to  be 
created,  and  (4)  Size — the  desired  size  of  the  segment  (in 
blocks  of  256  bytes).  The  initial  check  is  to  verify  that 
the  desired  size  does  not  exceed  the  designed  maximum 
segment  size.  If  this  check  is  satisfactory,  a  conversion  of 
the  Mentor_Seg_No  to  a  KST  index  is  necessary.  This  is 
because  the  Kernel  segments  use  the  first  several  segment 
numbers  available  but  do  not  have  entries  in  the  KST.  Thus 
if  there  were  10  Kernel  segments  and  a  system  segment  had 
segment  number  15,  then  its  index  in  the  KST  would  actually 
be  5  (l.e.,the  Kernel  segments  would  use  numbers  2-9,  and 
this  segment  would  be  the  sixth  segment  in  the  KST  and  its 
index  would  be  5).  A  call  is  then  made  to  the  procedure 
ITC_GET_SEG_PTR  with  the  constant  KST_SEG_N0  passed  as  a 
parameter.  This  procedure  will  return  a  pointer  to  the  base 
of  this  process'  KST.  This  pointer  is  then  the  basis  for 
addressing  entries  in  the  KST.  The  next  check  is  to  see  if 
the  mentor  segment  is  known  (viz.,  is  in  the  address  space 
of  the  process,  and  thus,  in  the  KST).  The  key  to 
determining  if  any  segment  is  known  is  the  mentor  segment 
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entry  (M_SEG_No)  for  that  segment  in  the  KST.  If  not  known, 
this  entry  in  the  segment's  KST  record  will  he  filled  with 
the  constant  NTJLL_SEG.  The  basis  for  checking  to  see  if  the 
segment's  mentor  segment  is  known  is  the  aliasing  scheme 
implication  that  a  mentor  segment  must  he  known  before  a 
segment  can  be  created.  The  process  classification  must  next 
be  obtained  from  the  Traffic  Controller.  The  process 
classification  is  checked  to  ensure  that  it  is  equal  to  the 
classification  of  the  mentor  segment  since  write  access  to 
its  alias  table  is  needed  to  create  a  segment.  The  NDS 
module's  CIASS_EQ  procedure  is  called  and  returns  a  code  of 
true  or  false.  The  last  check  is  the  compatibility  check  to 
ensure  that  the  classification  of  the  segment  to  be  created 
is  greater  than  or  equal  to  the  classification  of  the  mentor 
segment.  This  is  accomplished  by  calling  the  NDS  Module's 
CLASS_GE  procedure  which  returns  a  code  of  true  or  false.  If 
any  of  these  checks  are  unsatisfactory,  an  appropriate  error 
code  is  generated  and  the  Segment  Manager  returns  to  its 
calling  point.  If  all  checks  are  satisfactory,  then  a 
pointer  to  the  mentor  segment's  MM_Handle  array  is  derived 
(HPTR).  Note  that  in  the  current  memory  manager  design  [4] 
the  actual  MM_Handle  contents  are  a  Unique_IE  (a  long  word, 
viz.,  two  words  concatenated),  and  an  Index_No  (index  into 
the  G_AST ,  a  word)?  thus  together  these  two  fields  are  a 
total  of  three  words.  Since  the  Segment  Manager  does  not 
interpret  this  handle,  it  is  considered  a  three  word  array 
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at  this  level.  For  this  reason,  the  entire  uninterpreted 
MM_Handle  array  will  be  passed  by  passing  its  pointer.  This 
pointer  and  Entry_No,  Size,  and  Class  are  then  passed  in  a 
call  to  the  distributed  memory  manager  procedure 
MM_CREATE_ENTBY.  This  procedure,  in  turn,  performs  IPC  with 
the  memory  manager  process  where  segment  creation  ultimately 
is  accomplished.  A  success  code  is  returned  in  an  IPC 
message  from  the  memory  manager  process  via  the  distributed 
memory  manager  to  the  CT?EATE_SEGMENT  procedure  to  indicate 
success  or  failure  as  appropriate.  This  success  code  is 
checked  by  the  Segment  Manager  to  ensure  confinement  would 
not  be  violated  if  it  is  returned  to  the  calling  process' 
supervisor  domain.  Only  after  the  success  code  has  been 
returned  can  the  action  of  segment  creation  be  considered 
complete.  Segment  creation  does  not  imply  the  ability  to 
reference  that  segment;  MAKE_KNQWN  will  accomplish  that. 

2 .  Delete  a  Segment 

The  function  that  deletes  a  segment  (l.e.,  deletes  a 
segment  from  SASS)  is  DEIETE_SEGMENT.  Validation  of 
parameters  and  security  checks  are  performed  here  similar  to 
(but  fewer  than)  the  CREATE_SEGMENT  checks.  The  distributed 
memory  manager  is  then  called  to  cause  IPC  with  the  memory 
manager  process,  where  segment  deletion  is  realized  through 
secondary  storage  deallocation  and  alias  table  entry 
deletions.  DELETE_SEGMENT  is  passed  as  arguments:  (1) 
Mentor_Seg_No  and  (2)  Entry_No.  Conversion  of  the 
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Mentor_Seg_No  to  a  KST  index  is  accomplished  first.  The 
pointer  to  the  base  of  the  KST  is  located  and  returned,  as 
before.  The  mentor  segment  is  checked  to  ensure  it  is  known, 
again,  by  verifying  that  its  own  M_SEG_No  (mentor  segment 
number)  entry  in  the  KST  is  not  the  NULL_SEG.  The  process 
classification  is  obtained  from  the  TC  and  checked  (by  a 
call  to  C1ASS_E0)  to  ensure  it  is  equal  to  the  mentor 
segment  classification,  since  deleting  an  entry  requires 
write  access  to  the  alias  table.  If  all  checks  are 
satisfactory,  then  the  mentor  segment's  MM_Handle  pointer  is 
derived.  This  pointer  and  the  mentor  segment  alias  table 
entry  number  are  passed  in  a  call  to  the  distributed  menory 
manager  procedure  MM_DEIETE_ENT1[tY .  It  then  performs  IPC  with 
the  memory  manager  process  where  segment  deletion  is 
accomplished  and  a  success  code  is  returned  as  before. 

3 .  Make  a  Segment  Known 

The  function  that  makes  a  segment  known  (i.e.,  adds 
that  segment  to  the  process'  address  space  by  assigning  a 
segment  number,  updating  the  KST,  and  causing  the  memory 
manager  process  to  "activate"  the  segment  (that  is,  add  it 
to  the  AST  ))  is  MAKE_KNOWN.  Making  a  segment  known  is  the 
way  the  Supervisor  declares  its  intention  to  use  a  segment. 
MAKE_KNOWN  is  passed  as  arguments:  (l)  Mentor_Seg_No ,  (?) 
Entry_No,  and  (3)  Acess_Des ired  (e.g.,  wrice,  read,  or 
null).  It  returns  (1)  a  success  code,  (2)  the  access  allowed 
to  the  segment,  and  (3)  the  segment  number.  Conversion  of 
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the  mentor  segment  number  to  a  KST  index,  finding  the  KST 
pointer,  and  verifying  that  the  mentor  segment  is  known 
occur  as  previously  discussed. 


There  are  three  basic  cases  that  may  occur  in 
MAKEJCNOVN:  (1)  the  segment  is  already  known  (has  an  entry 
in  the  KST),  (2)  the  segment  is  not  known  and  there  is  a 
segment-number  available,  or  (3)  the  segment  is  not  known 
and  there  is  no  segment  number  available. 

A  search  is  made  of  the  KST  using  each  record's 
(segment's)  M_SEG_No  (mentor  segment  number)  and 
Entry_Number  fields  as  the  search  key.  If  these  two  fields 
match  the  input  values  Mentor_Seg_No  and  Ehtry_No,  then  the 
record  indexed  is  that  of  the  desired  segment;  thus  the 
segment  to  be  made  known  is  already  known.  In  this  case,  all 
that  need  be  done  is  to  return  the  success  code,  segment 
number  (converted  from  the  index  by  adding  to  it  the  number 
of  kernel  segments),  and  the  access  allowed  (equal  to  the 
Access_Mode  entry  in  the  KST  for  the  already  known  segment). 

During  the  search  of  the  KST,  the  f*_SEG_No  field  is 
also  checked  to  see  if  it  contains  the  NULL_SEG  entry  (this 
implies  that  the  segment  number  associated  with  the  record 
is  "available").  The  first  time  this  is  noted,  the  index  is 
saved.  Note  the  first  available  index  is  saved  since  it  is 
desired  to  assign  segment  numbers  at  the  "top”  of  the  KST  to 
keep  it  dense  there.  When  the  search  does  not  find  that  the 
segment  is  already  known,  the  index  for  the  available 
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segment  number  is  retrieved  and  converted  to  segment  number 
by  adding  to  it  the  number  of  kernel  segments.  If  this  index 
is  the  NGLL_SEG  entry,  then  there  is  no  segment  number 
available.  In  this  event,  the  success  code  is  set  to 
N0_SEG_A7AII ,  the  segment  number  is  assigned  NUII_SEG,  and 
access  allowed  is  set  to  NUL1_ACCESS  (this  is  the  third  case 
mentioned).  If  the  index  is  not  equal  to  NTJ1L_SEG  and 
conversion  to  segment  number  has  occurred  then  the  Traffic 
Controller  is  called  to  provide  the  DBB_No  (descriptor  base 
register  number)  for  the  current  process.  The  DE3_No  is  used 
by  the  memory  manager  process  as  an  index  in  the  MMU_Image 
and  the  local  AST.  The  distributed  memory  manager  procedure 
MM_Activate  is  called*  it  is  passed  the  EBB  number,  the 
pointer  to  the  mentor  segment's  MM_Handle  entry,  the  mentor 
segment  alias  table  Entry_No,  and  the  segment  number. 
MM_Activate  performs  the  normal  interface  function  (performs 
IPC  with  the  memory  manager  process  procedure  that  updates 
the  local  and  global  AST's)  and  also  updates  the  1ST  entry 
for  the  new  segment's  MM_Handle  entry  (returned  from  the 
memory  manager  process).  It  also  returns  to  the  Segment 
Manager  the  success  code,  the  segment  classification,  and 
the  segment  size  from  the  memory  manager  process.  If  the 
success  code  is  "succeeded”  then  the  issue  of  access  to  be 
granted  must  be  resolved.  The  process  classification  is 
obtained  from  the  TC  and  passed  with  the  segment 
classification  to  the  NDS  Module  procedure  CIASS_GE.  If  the 
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C0NDITI0N_C0DE  returned  is  FALSE  then  access  allowed  is 
NUIL_ACCESS,  the  segment  number  is  NULL_SEG,  and 
MM_DEACTIVATE  is  called  to  deactivate  the  segment.  An 
appropriate  error  code  is  returned.  If  it  is  greater  than  or 
equal  then  the  access  allowed  is  assigned  as  follows:  (1 ) 
the  two  classifications  are  compared  again — this  time  to  see 
if  equal;  (2)  If  they  are  equal,  then  the  access  allowed  is 
either  read  or  write  per  the  access  desired;  (3)  if  they  are 
not  equal  (i.e. ,  the  process  class  is  greater  than  the 
segment  class)  then  the  access  allowed  is  read.  Finally  the 
AST  entries  for  that  segment  number  (more  accurately  for  its 
index  in  the  AST)  are  filled  with  the  appropriate 
information  (e.g.,  IN-CORE  is  false,  etc.).  If  the  success 
code  returned  from  the  memory  manager  process  via  the 
distributed  memory  manager  is  not  "succeeded”,  then  the 
segment  number  is  set  to  NULL_SEG  and  the  access  allowed  is 
set  to  NULL_ACCESS. 

4 .  Make  a  Segment  Unknown  (Terminate) 

The  function  that  makes  a  segment  unknown  (i.e., 
removes  that  segment  from  the  process'  address  space — by 
updating  the  AST  and  causing  the  memory  manager  process  to 
"deactivate”  the  segment)  is  TERMIMATE.  It  results  in 
removal  of  the  M_SEG_No  (mentor  segment  number)  entry  from 
that  segment's  AST  record.  Terminate  is  passed  the  segment 
number  of  the  segment  to  be  terminated  as  an  argument.  It 
returns  a  success  code.  Conversion  of  the  segment  number  to 


a  KST  index,  finding  the  KST  pointer,  and  verifying  that  the 
segment  is  known  occurs  in  the  same  manner  as  previously 
discussed.  The  next  check  is  to  verify  that  the  segment  is 
not  still  loaded  in  the  process'  virtual  core  (viz.,  it  has 
been  "swapped-out") .  If  not,  an  error  code  is  returned  and 
the  user  must  cause  the  Segment  Manager  extended  instruction 

SM_SWAP_OOT  to  he  executed.  The  next  check  is  to  ensure  that 

/ 

the  user  is  not  attempting  to  terminate  a  Kernel  segment. 
The  first  several  segment  numbers  in  a  process'  address 
space  will  be  used  by  Kernel  procedures  and  data  (though 
they  will  not  be  entries  in  the  KST).  Thus  if  there  were  1? 
Kernel  segments,  then  the  segment  number  to  be  terminated 
must  be  greater  than  or  equal  to  #10  (since  the  Kernel 
segments  used  # 's  0-9).  Thus  a  check  Is  made  to  ensure  that 
the  segment  number  is  not  less  than  the  number  of  Kernel 
segments,  otherwise  an  error  code  is  returned.  Next,  the 
segment  number  is  checked  to  ensure  that  it  is  not  larger 
than  the  maximum  segment  number  allowable  (if  so,  an  error 
code  is  returned).  If  all  checks  are  satisfactory,  then  the 
segment's  MM_Handle  pointer  and  the  process  DBR_No  are 
obtained  (as  discussed  before)  and  passed  in  a  call  to  the 
MMjDeactivate  procedure.  It  calls  the  memory  manager  process 
procedure  DEACTIVATE  which  removes  or  updates  (as 
appropriate)  the  entries  in  the  local  and  global  AST's. 
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5.  Swap  a  Segment  In 


The  function  that  swaps  a  segment  from  secondary 
storage  to  main  memory  (global  or  local)  is  SK_SWAP_IN.  It 
is  passed  the  segment  number  of  the  segment  to  be  swapped  in 
as  an  argument  and  returns  a  success  code.  Conversion  of  the 
segment  number  to  a  KST  index,  finding  the  KST  pointer,  and 
verifying  that  the  segment  number  is  known  are  accomplished 
as  previously  discussed.  If  the  check  is  satisfactory,  then 
the  segment's  MM_Handle  pointer  and  the  process  BBH  number 
are  obtained.  They  are  passed  with  the  segment's  access  mode 
(from  the  KST)  as  arguments  in  the  call  to  MK_SWAP_IN.  It 
performs  normal  interface  (IPC)  functions  and  returns  a 
success  code  from  the  memory  manager  process'  SWAP_IN 
procedure  (where,  if  not  already  in  core,  allocation  of  main 
memory  space  and  reading  the  segment  into  main  memory 
occurs).  If  the  success  code  is  "succeeded"  then  the 
segment's  IN_CORE  entry  in  the  KST  is  updated  to  show  that 
the  segment  is  in  main  memory  for  this  process  (i.e.»  the 


entry  is  now 

t  rue  " ) . 

6.  Swap  a 

Segment 

Out 

The  function  that  swaps  a  segment  from 

main  memory 

to  secondary 

storage 

is  SM_SWAP 

_0UT.  It  is 

passed 

the 

segment  number 

of  the 

segment  to 

be  swapped 

out  as 

an 

argument  and 

re  turns 

a  success 

code.  The 

behavior 

of 

SM_SWAP_OUT  is 

exactly 

analogous 

to  that  of 

SM_S¥AP 

_IN 

except  that 

the  segment's  KST  IN 

_C0PE  entry  is  updated 

to 

reflect  that  the  segment  has  been  removed  from  main  memory 
for  this  process  (i.e.,  the  new  entry  is  "false"). 

C.  NON-DISCRETIONARY  SECURITY  MODULE 

The  Non-Discretionary  Security  Module  implements  the 
non-discretionary  security  policy  for  the  SASS.  The  NDS 
module  contains  two  procedures:  CLASS_EQ  and  CLASS_GE>  both 
compare  two  labels  (classifications)  and  determine  if  their 
relationship  meets  that  of  the  procedure's  name  (i.e., 
equal,  or  greater  than  or  equal).  Although  the  type  of 
checks  beinfr  made  are,  in  fact,  compatibility  checks.  Simple 
Security  Condition  checks,  etc,  the  NDS  Module  does  not 
recognize  or  need  to  recognize  this.  It  simply  uses  an 
algorithm  to  determine  if  classification  #1  =  classification 
#2  or  if  classification  #1  >=  classification  #2,  as 

appropriate.  It  then  returns  a  condition  code  of  true  or 
false  in  accordance  with  the  particular  case.  The  earlier 
discussion  of  label  comparison  in  accordance  with  a 
partially  ordered  lattice  structure  is  relevant  in 
discussing  the  NDS  Module's  algorithm.  Consider  the  same 
"totally  ordered"  relationship  TS  >  S  >  C  >  U  of  levels  and 
the  "disjoint”  relationship  Cy  !  N  !  Nu  !  %  of  categories. 
Comparison  of  levels  will  be  numerical  comparisons  while 
comparison  of  categories  will  use  set  theory  comparison  as  a 
basis.  If  TS-4,  S=3,  C=2,  U=1  are  level  numerical 

assignments,  then  the  totally  ordered  relationship  is 


maintained  (i.e.,  TS>S>C>U  is  still  true).  Now  consider  the 
categories  and  make  the  following  assignments:  Cy=l ,  N=2, 
Nu=4,  %=0.  Note  that  a  classification  may  have  only  one 
level  and  one  category  set  (the  category  set  may  contain 
several  categories).  Consider  this  example:  (TS,{Cy,N).  The 
level  is  TS  (=4).  The  category  is  the  set  {Cy,N}  and 
numerically  is  formed  hy  performing  a  logical  OR  with  the 
categories  Cy  and  N.  Sixteen  hit  representation  of  this  is: 
Cy  OR  N 

(0000  0000  0000  0001)  OR  (0000  0000  0000  0010) 

*  0000  0000  00e0  0011  «  {Cy ,N) 

If  (TS,{Cy,N))  is  considered  label  #1  and  (S,{N})  as  label 
#2  then  a  comparison  of  the  two  labels  would  be: 

(1)  Compare  level  #1  with  level  #2  —  4  >  3? 

Clearly,  the  answer  is  yes. 

(2)  Compare  category  #1  with  category  #2  —  is 
(0000  0000  000£  0011)  a  superset  of 

(0000  0000  0000  0010),  or  more  clearly 
is  the  latter  a  subset  of  the  former? 

The  answer  is  yes,  and  one  way  to  show  that  is  true  is 
by  performing  a  logical  OR  of  category  #1  with  category  #2 
and  comparing  the  result  to  category  #1.  If  the  result  of 
the  OR  operation  equals  category  #1  then  category  #1  is  a 
superset  (not  necessarily  proper)  of  category  #2.  Since 
usage  of  the  term  subset  is  more  frequent  than  that  of 
superset,  this  relationship  will  typically  be  stated  as 


category  #2  is  a  subset  of  category  #1.  To  Illustrate  the 
above : 

{Cy,N}  OS  {N>  : 

(0000  00j00  0000  0011)  OR  (0000  0000  0000  0010) 

*  0000  0000  0000  0011  *  category  #1. 

This  means  that,  in  this  example,  that  category  #2 
is  a  subset  (not  necessarily  proper)  of  category  #1.  Since 
level  #1  >  level  #2  and  category  #2  subset  category  #1  then 
label  #1  >  label  #2.  Thus,  a  call  to  the  CLASS_EQ  procedure 
with  these  two  labels  as  the  input  classifications  would 
return  a  condition  code  of  false  while  C1ASS_GE  would  return 
true.  The  decision  to  have  the  classifications  as  Ion*  word 
(32  bits)  supports  the  requirement  of  some  EoD 
specifications  for  eieht  levels  and  sixteen  categories  .  This 
module  uses  sixteen  bits  for  the  level  and  sixteen  bits  for 
the  category.  Appendices  E  and  P  are  the  PLZ/S7S  and  PIZ/ASM 
listings  for  the  NES  Module. 

1 .  Equal  Classification  Check 

The  CLASS_EQ  procedure  performs  comparison  of  two 
classifications  (labels)  and  returns  a  condition  code  of 
true  if  they  are  equal  (an  exact  match  of  the  two  Ions  words 
bit  per  bit)  or  false  if  they  are  not. 

2.  Greater  or  Equal  Classification  Checfc 

The  CIASS_GE  procedure  performs  comparison  of  two 
classifications  (labels)  and  returns  a  condition  code  true 
if  classification  #1  is  greater  than  or  equal  to 
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classification  #2  or  a  condition  code  of  false  otherwise. 
For  classification  #1  to  be  greater  than  or  equal  to 
classification  #2,  the  following  must  be  true:  (1)  level  #1 
>»  level  #2  (determine  this  by  simple  numerical  comparison 
of  values)  and  (2)  category  #2  subset  category  #1  (determine 
this  by  performing  a  logical  OR  with  the  categories  and 
comparing  the  result  to  category  #1  —  if  they  are  equal 
then  category  #2  is  a  subset  of  category  #1). 

Since  PLZ/STS  allows  passing  only  "simple"  types  in 
calls,  the  labels  were  passed  as  long  words  (as  opposed  to 
each  being  word  arrays  of  length  two).  An  access  class  label 

x 

is  never  interpreted  outside  the  NDS  Module.  However,  within 
the  NDS  Module  it  is  necessary  to  address  the 
classification's  components  separately  (viz.,  level  and 
category).  Thus,  an  "overlay”  of  the  logical  view  of  the 
classification  was  created.  This  overlay  was  a  record  of 
type  ACCESS_CLASS  and  it  consisted  of  two  fields:  level  — 
16  bit  integer  and  category  —  16  bit  integer.  A  pointer 
type  CPTR  was  declared  to  be  of  type  pointer  to 
ACCESS_CIASS.  Two  other  pointers  CIASS1_PTR  and  CIASS2_PTR 
were  declared  to  be  of  type  CPTR  and  were  set  equal  to  the 
base  address  of  CLASS1  and  C1ASS2  respectively.  This 
"overlay”  of  the  record  frame  over  the  two  classification 
labels  passed  as  arguments  allowed  the  desired  component 
addresslbility. 
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Futhermore,  the  non-discretlonary  policy  enforced  by  SASS 
can  he  changed  from  the  current  PoD  policy  to  another 
lattice  policy  hy  changing  (only)  the  NDS  Module. 

D.  DISTRIBUTED  MEMORY  MANAGER  MODULE 

The  Distributed  Memory  Manager  Module  performs  as  an 
interface  between  the  Segment  Manager  and  the  Memory  Manager 
Process.  As  its  name  implies,  it  is  distributed  in  the 
kernel  domain  of  each  Supervisor  process.  The  key  role 
performed  in  this  module  is  to  arrange  and  perform 
interprocess  communication  between  its  process  (actually  the 
VP)  and  the  memory  manager  process  (VP).  The  module  consists 
of  eight  procedures.  Six  of  the  procedures  are  called 
directly  by  Segment  Manager  procedures;  they  are 
MM_CREATE_ENTRT ,  MM _DELETE_ENTRY ,  MM_J»CT  IVATE, 
MM_DEACTIVATE,  MM_SWAP_IN,  and  MM_SWAP_OUT.  The  other  two 
procedures  are  "service"  procedures  called  hy  multiple 
procedures;  they  are:  MM_GET_DBR_VALUE  and  PERFORM_IPC.  The 
logic  used  in  the  first  six  procedures  is  somewhat  uniform 
(except  for  MM_ACTIVATE) .  Thus,  the  general  lo/?ic  will  be 
explained  (with  MM_' dEATE_ENTRY  as  an  example)  and  it  should 
suffice  as  a  description  for  all  (except  MM_ACTIVATE) 
procedures.  The  service  procedures  will  be  described 
separately. 

1 .  Description  of  Procedures 


Bach  procedure  is  invoked  (and  returns)  on  a  one  to 
one  basis  with  a  corresponding  procedure  in  the  Segment 


Manager.  For  example,  CREATE_SEGMENT  invokes  MM_CREATE_ENTRY 
which  signals  the  CREATE_ENTRY  procedure  in  the  Memory 
Manager  Process  Module.  Associated  with  each  procedure  is  an 
IPC  message  "frame"  to  describe  the  unique  format  of  the 
contents  of  the  message  to  be  signalled  to  the  memory 
manager  process.  Similarly,  there  must  be  a  message  "frame” 
for  return  messages  from  the  memory  manager  process;  this 
frame  is  the  same  for  all  but  the  MM_ACTIYATE  procedure. 
Consider  the  message  frame  for  MM_CREATE_ENTHY >  it  consists 
of:  (1)  a  code  to  describe  which  function  is  to  be  performed 
(e.g.,  CREATE_CODE  indicates  that  the  CREATE_ENTRY  procedure 
is  the  intended  recipient  of  the  message),  (2)  MM_Handle  (an 
array  of  three  words),  (3)  Entry_No,  (4)  Size,  and  (5) 
Class.  The  message  frame  has  a  filler  (in  this  case)  of  one 
byte  to  ensure  that  it  is  of  length  16  bytes.  The  purpose  of 
this  frame  is  to  provide  an  overlay  onto  the  actual  message 
array  to  be  signalled  and  to  facilitate  loading  the 
arguments  into  the  message  array.  This  is  accomplished  by 
having  a  pointer  of  the  type  that  points  to  the  frame  but  by 
converting  its  address  so  that  it  actually  points  to  the 
base  of  the  message  array.  Consider  these  lines  of  PIZ/SYS 
code : 

CE_MSGPTR  :=  CE_PTR  COM_MSGPTR 

CE_MSGPTR'\CREATE_CODE  :*  CREATE_ENTRY_CODE 

This  code  is  putting  a  value  into  the  structure  pointed  to 

by  CE_MSGPTR  at  entry  CREATE_CODE.  The  key  point  is  that  the 


frame  of  that  structure  is,  in  fact,  CREATE_PSG  (as 
described  before),  but  the  physical  location  pointed  to  is 
the  message  array.  This  is  assured  by  having  the  pointer 
CE_MSGPTR  (which  points  to  a  structure  of  t7pe  CREATE_MSG ) 
set  equal  to  a  pointer  (COM_MSGPTR)  to  the  actual  message 
array  (COM_MSGB!JF ) .  This  is  accomplished  by  the  first  line 
of  code.  The  message  array  itsel-f  is  never  directly 
referenced,  but  rather  the  message  array  that  is  overlayed 
by  the  message  frame  is  filled  in  the  format  of  the 
CREATE_MSG  frame.  In  this  example,  the  first  two  bytes  of 
the  message  array  now  contain  the  value  of  the  constant 
CREATE_ENTRr_CODE .  The  remainder  of  the  message  array  is 
filled  in  the  same  manner  (all  procedures  use  the  same 
notion  of  a  frame,  although  the  frames  have  different 
formats).  The  PERFORP_IPC  (perform  interprocess 
communication)  procedure  is  called  by  all  procedures  at  this 
point  in  their  execution.  The  hey  is  that  the  argument 
passed  is  the  message  array  pointer  not  the  pointer  to  the 
CREATE_MSG  record  (after  all  it  is  only  an  overlay  frame  — 
linguistically,  it  is  only  a  type  and  is  never  declared  as  a 
structure  requiring  memory  storage  allocation).  When 
PERFORM_IPC  returns,  the  message  array  contains  a  return 
message.  This  message  consists  of  only  a  success  code  and 
filler  space  in  all  cases  but  MM_ACTIVATE.  Interpretation  of 
the  return  message  is  performed  in  the  same  manner  as 
loading  the  message  array.  The  retrieved  success  code  is 


returned  to  the  calling  Segment  Manager  procedure.  For 
MM_ACTI7ATE,  the  return  message  must  he  Interpreted  and 
values  for  success  code,  segment  size,  and  segment 
classification  retrieved  and  returned  to  the  Segment  Manager 
MAKE_£N0WN  procedure.  The  value  for  the  MM_Handle  (called 
the  G_AST_Handle  by  the  memory  manager  process)  must  he 
retrieved  and  entered  in  the  KST  record  for  this  segment. 

2.  Interprocess  Communication 

The  final  arrangements  and  actual  performance  of  IPC 
is  completed  hy  the  internal  procedure  PERFORM_IPC .  Ey 
locating  the  identity  of  the  current  physical  processor 
(CPU)  and  using  that  identity  to  index  into  the 
MM_CPU_TABIE ,  the  VP_ID  of  the  current  memory  manager  is 
resolved,  so  that  the  memory  manager  process  dedicated  to 
this  physical  processor  is  signalled.  The  call  to  K_L0CK  is, 
in  fact,  a  disguised  call  to  the  SPIN_LOCK  procedure  (since 
K_L0CK  calls  SPIN_L0CK).  K_L0CK  represents  an  ultimate  (as 
yet  unimplemented)  goal  of  a  kernel  locking  (wait-lock) 
system.  In  any  event,  the  G_AST  lock  must  he  set  prior  to 
signalling  the  memory  manager  process.  After  SIGNAL  has  been 
called,  a  call  is  made  to  WAIT  with  the  pointer  to  the 
message  array  as  the  argument.  The  synchronization  cycle 
that  results  is:  (1)  PERFORM_IPC  calls  the  ITC  procedure 
SIGNAL  with  the  memory  manager  7P_ID  and  message  array 
pointer  as  arguments;  PERFORM_IPC  then  calls  WAIT  with  the 
message  array  as  the  argument,  (2)  SIGNAL  causes  the  message 
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array  to  he  copied  into  the  message  queue  (in  the  V?T)  of 
the  appropriate  VP_ ID,  (3)  ultimately,  the  signalled  VP  is 
scheduled?  it  had  previously  called  WAIT,  passing  a  pointer 
to  its  own  local  message  array?  the  action  of  WAIT  is  to 
copy  the  message  from  the  VPT  to  the  signalled'  process 
local  message  array?  there  it  is  interpreted  by  the  memory 
manager  process  main  procedure  and  the  appropriate  procedure 
is  called  for  action  (e.g.,  CREATE_ENTRT) ,  (4)  when  action 
is  completed  the  memory  manager  process  fills  its  local 
message  array  with  the  appropriate  return  message  and  calls 
SIGNAL  with  a  pointer  to  the  message  and  the  original 
signalling  process's  VP_ID  as  arguments,  (5)  SIGNAL  causes 
the  memory  manager  process'  message  to  be  copied  into  the 
VPT  message  queue  for  the  appropriate  VP_ID,  (6)  that  VP  is 
eventually  scheduled  and  through  the  action  of  WAIT  has  the 
return  message  copied  from  its  message  queue  in  the  VPT  to 
its  local  message  array?  WAIT  then  returns  to  PEE FOR M_ I PC . 
The  G_AST  lock  is  unlocked  and  PERFORM_IPC  returns  to  the 
appropriate  distributed  memory  manager  procedure. 

The  last  procedure  in  the  distributed  memory  manager 
is  f*M_GET_DBR_VALUE.  This  procedure  simply  provides  the 
service  of  translating  a  DBR_N0  (DPR  number)  into  its 
appropriate  DPR  address.  It  is  called  by  the  TC_GETWORK 
procedure  to  allow  it  to  call  the  ITC  procedure  SWAP_VPBR 
(remember  that  presently  the  Inner  Traffic  Controller  aeals 
with  the  DBR  as  the  address  of  the  appropriate  MMU  record  in 
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the  MMU_IMAGE  while  the  Traffic  Controller  uses  BBR  as  a  D£R 
number  which  indexes  to  the  appropriate  MMTJ  record) . 

5.  SUMMARY 

The  implementation  of  segment  management  functions  and  a 
non-discretionary  security  policy  for  the  SASS  has  been 
presented  in  this  chapter.  The  implementation  of  the  Segment 
Manager  Module,  Non-Discret ionary  Security  Module,  and 
Distributed  Memory  Manager  management  demonstration  was 
described. 

Chapter  17  will  present  the  conclusions,  lessons 
learned,  and  suggestions  for  future  work  derived  from  this 
thesis . 
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Figure  10.  Initialized  Virtual  Processor  Table 
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Figure  13o  Initialized  Process  Stack  Segments 
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9k 

NMI 

[LOAD  SYNC. 8 
ENTRY  POINT  5000 
[LOAD  DBR.8 
ENTRY  POINT  8000 
fLOAD  SYNC  STACK. 8 
ENTRY  POINT  7000 
fLOAD  SYNC  DATA. 8 
ENTRY  POINT  9000 
[LOAD  KST  DATA. 8 
ENTRY  POINT  9300 
[R  R15 

R15  40A0  f 71B4 
RPC  075E  [ 560E 
RFC  5040  [5000 
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Figure  15*  Load  Command  Lines  and  Register  Initialization 
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Figure  16,  Generated  Output 


Figure  16»  Generated  Output  (continued) 
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Figure  16,  Generated  Output  (continued) 


IV.  CONCLUSIONS  AND  70L10'..'  ON  YORK 


The  implementation  of  segment  management  for  thp 
security  kernel  of  a  secure  archival  storage  system  has  been 
presented.  The  implementation  was  completed  on  Zilog's  Z°0Z2 
sixteen  hit  nonsegmented  microprocessor.  Segmentation 
hardware  (Zilog's  ZS01Z  Memory  Management  Unit)  was  not 
available,  therefore  it  was  simulated  in  software  as 
described  by  Reitz  [9].  The  loop  free  modular  construction 
used  in  the  implementation  facilitates  ease  cf  expansion  or 
modification . 

A  non-discretionary  security  policy  was  implemented 
using  a  partially  ordered  lattice  structure  as  a  basis. 
Enforcement  was  realize.d  through  an  algorithm  tnat  compared 
two  labels  and  determined  if  their  relationship  was  equal  to 
a  desired  relationship.  Although  tne  LoL  security 
classif ication  system  was  represented,  any  non-discretionary 
security  policy  that  may  be  represented  by  a  lattice 
structure  may  similarly  be  implemented.  This  implementation 
nas  shown  that  by  having  the  non-discretionary  security 
policy  enforced  in  one  module,  changing  to  another  policy 
requires  changing  only  this  one  module. 

Software  engineering  techniques  used  in  previous  work 
emphasized  the  advantages  of  wording  with  code  that  is  veil 
structured,  well  documented,  ar.d  well  organized,  respite 


being  written  in  assembly  language,  Reitz'  implementation  of 
multiprogramming  and  process  management  proved  to  be 
consistent  in  stylet  clarity  and  documentation.  This 
entranced  the  construction  of  a  segment  management 
demonstration  which  was  built  onto  his  synchronization 
demonstration.  Further,  refinements  made  to  nis  code  (not 
necessitated  by  any  failures  of  his  code)  were  relatively 
easily  accomplished. 

’*hile  the  segment  management  implementation  appears  to 
perform  properly,  it  has  not  been  subjected  to  a  formal  test 
plan.  Such  a  test  plan  should  be  developed  and  implemented. 

The  Memory  Manager  Process  has  teen  designed  but  not 
implemented.  Segment  management  implementation,  provision 
for  IPC  using  more  practical  size  messages,  and  the  detailed 
design  of  the  memory  manager  by  Mocre  and  Gary  [4] ,  provide 
a  sound  foundation  for  memory  manager  implementation.  A 
framework  of  the  mainline  code  needed  is  provided  in  the 
memory  manager  module  of  the  demonstration  code  in  Appendix 
I.  Prior  to  this  implementation,  formal  testing  of  the 
segment  management  implementation  herein  and  the  monitor 
implemented  by  Reitz  f9]  should  be  completed. 


APPENDIX  A  -  SEGMENT  MANAGE?.  PLZ/SYS  LISTINGS 


SEGMENT. MANAGER  MODULE 


CONSTANT 

NU LL  ACCESS 
NULL^SEG 

MAX  NO  X5T  ENTRIES 

MAX  SEG  SIZE 

MAX- 5 EG  NO 

KST..SEG.NO 

Nxi_CF_  LS  2 Go 

FALSE 

TRUE 

READ 

WRITE 


4 

-1 

??  ! TO  RE  DETERMINED 
??  ! TC  11  DETERMINED 
??  !TO  3E  DETERMINED 
??  ! TO  RE  DETERMINED 
??  ! TC  PE  DETERMINED 
0 
1 


!  ****  SUCCESS  CODES  I 

SUCCEEDED  :=  2 

MENTOR  SEG  NOT  XNO*N  22 

ACCESS  CLASS  NOT  EG  :  =  33 
NOT  COMPATIBLE  :=  24 

SEGMENT  TOO  LARGS  :  =  25 
NO_5SG  AVAIL  :=  2? 

SEGMENT  NCT  ENCVN  :=  2= 

SEGMENT  IN  CORE  :=  29 

KERNEL  SEGMENT  :=  33 

INVALID  SEGMENT  NC  :=  31 
NO_ACCSSS  PERMITTED  :=  32 
LEAF  SEG  EXISTS  :=  13 

NC  LEAF  EXISTS  :=  11 

ALIA5_DOES  NOT  EXIST  ;=  23 
NO_CRlLD.TO_ DELETE  23 

G_A5T  x ILL  J=  12 

L  AST~F'JLL  :=  13 

LOCAL  MEMORY.  FULL  16 

GLCEAL  MEMORY  FULL  :=  1? 

SEC  5TOR  FULL  21 

PROC  CLASS  NOT  GE  SEG  CLASS  :=  41 


TYPE 


F. ARRAY 
KST.RSC 


X5 


ARRAY 

RECORD 


ARRAY 


c 


WORE  1 


[  MM  RANDLE 
SIZE 

ACCESS  MODE 
IN  CORE 
CLASS 
M  SEG  NC 
ENTRY  NUMBER 


H  ARRAY 

WORD 

FYTE 

BYTE 

LONG 

SECRT  I  NT FOE 
SHORT" INTEOE 


{  MAX  NO  EST  ENTRIES  UST  RDC 


130 


CLASS  IQ  PROCEDURE 

RETURNS  (  CONDITION. CCLI  EYTZ  , 

CLASS  GE  PROCEDURE 

RETURNS  (  CONDITION_ CODE  3YTS  ! 

MM  CREATE  ENTRY  PROCEDURE 
RETURNS  (  S:JCCESS_CODE 

MM  DELETE  ENTRY  PROCEDURE 
RETURNS  ,  SUCCESS, CODE 

MM_MAEE  KNOWN  PROCEDURE 

RETURNS  (  SUCCESS  CODE 
CLASS 
SIZE 

MM  TERMINATE  PROCEDURE 

RETURNS  (  SUCCESS,  CODE 

MM_SWA?  IN  PROCEDURE 

RETURNS  {  SUCCESS. CODE 

MM  SWA?  CUT  PROCEDURE 

RETURNS  (  3U CCES 5 _ CODE 

TC.GET  PROC.CLA5S  PROCEDURE 

RETURNS  i  P?CC_ CLASS  LONG  ) 

ITC  GET  SBG  ?TH  PROCEDURE 

RETURNS  (  SEGPTR  ""SET  ARRAY  ) 

MONITOR  PROCEDURE 

! TO  BE  IMPLEMENTED  AT  ASSEMBLY  LEVEL  -  SIM?LY  WILL 
CALL  TaZ  MONITOR  AT  ADDRESS  S359A! 

INTERNAL 

HPTR  ''H_AR?.AY 

KPTR  ZTSTPTR 


BYTE  ' 
5YTE  , 

3  ym  7 

LONG 
WORD  ' 

BYTE  . 

BYTE  ; 

BYTE  ' 


101 


GLOBAL 

(j«  '‘f  **«  *•*  j<  » 

•I*  'i*  v  v  *r  v  » 


* 

* 


* 

* 

sj> 


-1*  %!*  >'<  *•#  *•»  •*£ 


•  >#  v*-  »■*  *.*>  «■<  «>#  J#  «*>  «t«  J«  «!.  «t#  J#  J«  «ltf  >*a  «u  ..t#  »u  mj*  «*#  »■#  %!#%*«  »  ’ m  •■#  •■#  «v  *V  «*# 

*(s  *,»  rfj»  *  |^  ^  #|*  •  |»  ^  *|»  *|«  #|»  »|»  #|«  #(»  /j»  *t»  ^  .j%  >|%  #|«  wgm  #|«  f|*  *|«  r(«  ^  »j*  #(*  *|«  f4*  #|% 


CREATE _ SEGMENT  PPCCEDUEE.  I NVGXEI  BY  SUPERVISG? 

nn  Art'"  A  ~  tf  r  i  a  I  m  a  T  r~  a  at?  n  a  .• "  a  r?A  ■»  a  i  r  r  T  «  ?r  »  r  t  l 


PROCEDURE  VIA  GAmS  JEEPER .  ENSURES  CALL  15  VALID 
IY  CHECKING  TO  SEE  IE  VENIGR  SEGMENT  XNO'-'t. ,  IE 
SEGMENT  SIZE  IS  TOO  LARGE  (DESIGNED  MAX  SIZE),  I 
ACCESS  CLASSIFICATION  ARE  E*u  AL , AND  I?  COMPATI^I 
REQUIREMENTS  MET.  IE  ALL  CHECKS  ARE  SATISFACTORY 
THEN  MM  CREATE  ENTRY  IS  CALLED  FOR  MEMORY  MANAGE 
TO  TAKE  ACTION. 


r  * 
LITY  * 


*1*  f 


CRFATE_ SEGMENT  PROCEDURE  (  MENTOR  SEG  NO 

ENTRY  NO 

CLASS 

SIZE 

RETURNS  (  SUCCESS  CODE 


SHORT  INTEGER 
SHORT  INTEGER 
LONG 
WORE  / 

BYTE  ) 


j  -.'.j:;:***  NOTE:  REENTRANT  PROCEDURE  *###  \ 

!  SAVE  LCCAL  VARIABLES  ON  3T'ACz”tC  ENSURE  REENTRANT  ! 

LOCAL  ■  V_SEG_ INDEX  SHORT _ INTEGER 

~NTRY 

IF  SIZE  >  MAX  SEG  SIZE  THEN 

SUCCESS  CODE  :=  SEGMENT  TOO  LARGE 

ELSE 

M_SEG  INDEX  MENTOR  SEG  NC  -  Nr.  OF  XSEGS 
KPTR  :=  K5TPTR  ITC  GET  SEG  ?TR  (  KST  SEG  NO  ) 

IF  X?TR~[M  SEG  INDEX]  .M  SEG  NC  =  NULL  SEG  TEEN 
SUCCESS^  CODE  :=  M S N T 0 F.  S E G _ N 0 T _ K N 0 U N 

PROC  CLASS  :=  TC  GET  PROC  CLASS 
CONDITION  CODE  :=  CLASS  EQ  (  PROC  CLASS, 

K?TR~Tm  SEG  INDEX] .CLASS) 

IF  CONDITION  CODE  =  FALSE  THEN 

SUCCESS  CODS  :=  ACCESS  CLASS  NOT  SO 

ELSE 

CONDITION  CODE  :=  CLASS  GE  v.  CLASS, 

KPTR~[M  SEG  INDEX]. CLASS  ) 

IF  CONDITION  CODS  =  FALSE  THEN 

SUCC25S_C0IZ  NOT  COMPATIFLE 

ELSE 

SPUR  :=  #X?T?.~[M  SEG  INDEX]. MM  HANDLE 
SUCCESS  CCDE  :=  MM  CREATE  ENTRY  v  EPT?  , 
ENTRY  NO, "SIZE,  CLASS  ) 
CONFINEMENT  CHECK  (SUCCESS  CODE  y 
FI 
FI 
FI 

J  T 

RETURN 

END  CREATE  SEGMENT 


1L3 


»>><  >'•  «><  «•<«•*«!>  ‘atlaVa  .'a  «'«  a'a  »*«  .>*»•«  J.  »>.  »l»  Oj  ■<»«'*  »l»  «'«  Ja  *la  Ja  »'»  »*«  »<»«*«  t»#  ^a  »>  ■,*»  Va  .  ’a  A  ‘V  Ja  *'a  Va  v»a  •'>  «'a  »'.  >'a  ila  Va  t-. 

*r  *>**i*'i'*i*  *i*  v  »i*  v  'i»  »»'  v  v  *,*  «,*  *t*  n*  n*  *i*  »(•  v  »r  v  *i*  *»*  v  *y*  #i»  »i»w'i‘'r  vv •«*  v  v  *#*  »i*  *i'  'i*  v 

«ta  •*; 

r  ^ 

*  DELETE  SEGMENT  PROCEDURE.  INVOKED  BY  SUPERVISOR  * 

*  PROCEDURE  VIA  TFV  GATE  KEEPER .  CHECKS  70  SEE  IE  * 

-  MENTOR  SEGMENT  KNOWN  ».ND  I?  ACCESS  CLASSIFICATION 
*  ARE  EQUAL.  THEN  CALLS  MM  DELETE, ENTRY  EOR  MEMORY  # 

*  MANAGER  ACTION.  "  * 

#  Sr 

£  jjs  s*s  s£  ;)c  if  sfc  £  if  *  £  i::fif:’fifif  if  if  if  if  ;Jf  if  # *  it  it  it  if  if  it  * ijt  ijt  if  if if  if  *  if  J 

DELETE  SEGMENT  PROCEDURE  (  MENTOR  SEG  NO  SFCRT  INTEGER 

ENTRY  NO  SHORT  INTEGER) 

RETURNS  (  SUCCESS_C  ODE  BYTE  j 

,  ****  f.CTE:  REENTRANT  PROCEDURE  ****  ! 

!  SAVE  LOCAL  VARIABLES  ON  STACK  TO  ENSURE  REENTRANT  ! 


LOCAL  v  SEG  INDEX  SHORT  INTEGER 
ENTRY 

M  SEG  INDEX  :=  MENTOR  SEG  NO  -  NR  0?  KSEG3 
KPTR  :=  KSTPTR  ITC  GET  SEG  ?TE  >,  ESI  SEG  NC  , 

IE  X?TR~  [M_S£G  INDEX]  .M  SEG  NO  =  NULL  SEG  THEN 
SUCCESS  CODS  :=  MENTOR  SEG  NoT  SHOWN 
ELSE 

PROC  CLASS  :=  TC  GET  PRCC  CLASS 
CONDITION  CODE  :=  CLASS  SQ  (  PROC  CLASS, 

KPTR^LM  SEG  INDEX]  .CLASS  ) 

IF  CONDITION, CODE  =  FALSE  THEN 

SUCCESS  CODE  :=  ACCESS  CLASS  NOT  EG 
ELSE 

HPTR  :=  *K?T?.~[M  SEG  INDEX!  .MM  HANDLE 
SUCCESS  CODE  :=  M.rl  DELETE  ENTRY  (  HPTR,  ENTRY  NO  ) 
CONFINEMENT  CEECa.  ( SUCCESS, CODE j 
FI 
FI 

RETURN 

END  DELETE  SEGMENT 
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MAZE  KNOWN  PROCEDURE.  INVOKED  RY  SUPERVISOR 
PROCEDURE  VIA  C-ATE  KEEPER.  CHECKS  TO  SEE  IF 
MENTOR  SEGMENT  KNOWN .  SEARCHES  ZST  TO  SEE  IE 
SEGMENT  ALREADY  KNOWN  (WHILE  ALSO  NOTING  THE 
EIRST  AVAILA3LE  (UNUSED)  SEG  #}.  IF  THE  SEGMENT 
IS  ALREADY  KNOWN  THEN  FINISHED.  IE  NOT,  THEN, 
USING  THE  AVAILABLE  SEG  #,  CALL  MM_ACTI7ATE  FCR 
MEMORY  MANAGER  ACTION.  THEN  CHECK  TO  SEE  IF  ANY 
ACCESS  IS  ALLOWED.  IF  YES  THEN  DETERMINE  THE 
APPROPRIATE  ACCESS  ALLOWED  AND  UPDATE  ZST.  IF 
NO,  THEN  RETURN  NULL  ACCESS. 


(S5{S  S{C  SJC  S{£  2j»  2jc2{{  S{C^S  ?i^SjS  S|S  «{C2|S  Sjt^S  SjC  3yC  SgS  ?,c  sj%  :,c 


•  "f*  *1*  .I* 
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‘  *r  vt  ' 


MAKE  KNOWN  PROCEDURE 


RETURNS 


(  MENTOR  SEG  NO 
ENTRY  NO 
ACCESS  DESIRED 
(  SEGMENT  NO 
ACCESS  ALLOWED 


SHORT_ INTEGER 
ScORT_ I NT^GER 
D  Y  T  F 

seortI integer 

BYT  S 


SUCCESS  CODE  H YTZ  ) 
r  NOTE:  REENTRANT  PROCEDURE  i 

!  SAVE  LOCAL  VARIABLES  ON  STACK  TO  ENSURE  REENTRANT  ! 


LCCAL 

AVAIL  SEG  SHORT  INTEGER 
INDEX  SEORT  INTEGER 

DER  NC  SHOr.T~  INTEGER 

M_ SEG  INDEX  "SHORT  INTEGER 
ENTRY 

M  SEG  INDEX  :=  MENTCR  SEG  NC  -  NR  OF  ESZGS 
KPTF:  :=  Z5TPTR  ITC  GET  SEG  PTE  KST  SEG  NO  ) 

I?  KPTR~  rM  SEG  INDEX]  .M  SEG  NO  =  NULL  SEG  THEN 
SUCCESS  COLE  :=  MENTCR  SEG  NOT  KNOWN 
SEGMENT  NO  :=  NULL  SEG' 

ACCESS  ALLOWED  :=  NULL  ACCESS 
ELSE 

PROC  CLASS  :=  TC  GET  PROC  CLASS 
HPTR*  :=  #K?TR~[M  SEG  INDEX]  .MM_HANDLE 
INDEX  :=  e 

SEGMENT  NO  :=  NULL  SEG 
AVAIL  SEG  :=  NULL  SEG 
SEE  IF  KNOWN: 

DO 

IF  KPTR~ [INDEX] ,M  SEG  NO  =  MENTOR  SSG_NO 
ANDIE  K?TR~ [INDEX] .ENTRY  NGMEZR  =  ENTRY  NO  THIN 
! CASE  :  SEGMENT  ALREADY  KNOWN! 

SUCCESS  CODE  :=  SUCCEEDED 
SEGMENT  NO  :=  INDEX  -r  NR  OF  K3FGS 
ACCESS  ALLOWED  :=  KPTF.*'  [INDEX]  . ACC ES3_ MODE 
EXIT  SZE_ IE  .  KNOWN 

16!  4 


USE 

IF  KPTR~ [INDEX] .M  SEG  NC  =  NULL  S EG 
AM? IF  AVAIL  SE5  =  NULL  3 EG  THEN 

AVAIL  SEG  :=  INDEX  -r  N A  OI_KSLGS 
FI 

INDEX  -=  1 

IF  INDEX  >  WAX  NC  XST  ENTRIES  THEN  EXIT  FI 
FI 
OD 

!  EXIT  SEE, IF  KNOWN  ! 

IF  SEGMENT_ NO  =  MULL  SEG 

AND  IF  AVAIL  SEG  <>  NULL  SEG  THEN  '.CASE:  SEGMENT  NOT 

KNCVi  N  AND  SEG  #  IS  AVAILAELE ! 
INDEX  :=  AVAIL  SEG  -  NR  OF  KSEGS 
SEGMENT_  NO  :=  AVAIL  SSG_ 

DER  NC  :=  TC  GET  DPR  NC 

SUCCESS,  CCDS]  KRTF^t  INDEX]  .CLASS  ,KP?R’'  [INDEX]  .SIZE 
MM, ACTIVATE (DPR  NO ,H?TR .ENTRY  NO, SEGMENT  NO; 
CONFINEMENT  CHECK  (SUCCESS  CCDE 
IF  SUCCESS  CODE  =  SUCCEEDED  THEN 

CONDITION  CODS  :=  CLASS  GE  (  PP.OC  CLASS, 

KPT*" [IN DFXl .CLASS 

IF  CONDITION, CODE  =  FALSE  THEN  !NO  ACCESS  ! 
ACCESS  ALLOWED  :  =  NULL  ACCESS 
SUCCESS  COLE  :=  MM  DEACTIVATE  .DIR  NC.EPTR) 
CONFINEMENT  CHECK  ?SUC CESS_CODE) 

SUCCESS  CODE  :=  PP.OC  CLASS  NOT  GE  SEG  CLASS 
SEGMENT  NC  :=  NULL  SEG 
ELSE 

CONDITION,  CODE  :=  CLASS  EQ  (  PP.OC  CLASS, 

KPTR^TIMDEX]  .CLASS  ) 

IF  CONDITION, CODE  =  TRUE 
ANDIF  ACCESS  DESIRED  -  WRITE  THEN 
ACCESS  ALLOWED  :=  WRITE 

ELSE 

ACCESS  ALLOWED  :=  READ 
FI 

£?TR~  [INDEX] . I N  CORE  :=  FALSE 
K?TR~  [INDEX]  .M  SEG  NO  :=  MENTOR  SEG  NO 
KPIRlINEEXJ .ENTRY  MUMPER  :  =  ENTRY  NC 
KPTR~  [INDEX]  .ACCESS  MODS  :=  ACCESS  ALLOWED 
FI 

ELSE 

SEGMENT  NO  :=  NULL  SEG 
ACCESS  ALLOWED  :=  NULL  ACCESS 
FI 

ELSE 

SUCCESS  CODE  :=  NO_SSG  AVAIL 
SEGMENT  NC  :=  NULL  SEG 
ACCESS  ALLOWED  :=  NULL  ACCESS 
FI 
FI 

RETURN 

ND  MAKE  KNOWN 


Its 
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TERMINATE  PROCEDURE.  INVOKED  Tf  SUPERVISOR 
PROCEDURE  VIA  DATE  KEEPER.  CHECKS  TO  SEE  IJ 
SEGMENT  IS  KNOWN  AND  IE  SEGMENT  NUMBER  IS 
VALID.  IE  CHECKS  ARE  SATISFACTORY  THEN  MM  DEACTI¬ 
VATE  IS  CALLED  FOR  MEMORY  MANAGER  ACTION. 
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TERMINATE  PROCEDURE  (  SEGMENT  NC  SHORT  INTEGER  j 
RETURNS  (  SUCCESS' CODE  BYTE  j 


1  «###  NOTE:  REENTRANT  PROCEDURE  ****  ! 

!  SAVE  LCCAL  VARIABLES  ON  STACK  IC  ENSURE  REENTRANT  ! 


LOCAL  INDEX  SHORT  INTEGER 
DBR  NC  SEGr.T  INTEGER 

ENTRY 

INDEX  :=  SEGMENT  NO  -  NR  OP  K5ZGS 

KPTR  :=  KSTPTR  ITC  GET  SEG  PTE  .  KS i  5 EG  NO  , 

IF  KPTR''  [INDEX]  . M  SEG  NO  =  ~  NULL  SEG  THEN" 

SUCCESS _  CODE  :=  SEGMENT _ NOT. KNOWN 
VLSI 

IE  KPTR”'  [INDEX]  .  IN  CORE  =TRUE  THEN 
SUCCESS  CODE  :="5EGM3VT  IN  CORE 
ELSE 

IF  SEGMENT  NO  <  NR  OF  KSEGS 

SUCCESS ’-CODE  :=“  KERNEL..  SEGMZ  NT 
F  LSE 

IF  SEGMENT  NO  >  MAX  SEG  NC  THEN 

SUCCZS3_CCDE  :=  INVALID  SEGMENT  No 
ELSE 

HP  TP.  :=  #K?TR~  [I  N'DZXl  .MM  HANDLE 
DBR  NO  :=  TC  GET  DBR  NO 

SUCCESS  COLE  :=  MM.  DEACTIVATE  i  DBR  NC.HPTR 
CONFINEMENT  CHECK  (SUCCESS  COLE) 

IF  5UCCESS_  CODE  =  SUCCEEDED  TEEN 
KPTiT  [INDEX!  .M  SEG  NC  :=  NULL 
FI 
FI 
FI 
FI 
FI 

RFTURN 

END  TERMINATE 
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f 

*  SM  SWAP,  IN  PROCEDURE .  INVOKED  PY  SUPERVISOR  * 

*  PROCEDURE  VIA  TEE  GATE  KEEPER  .  CHECKS  TO  SEE  IF  * 

*  SEGMENT  KNOWN;  IF  YES  THEN  CALLS  MM  SWA?  IN  FOR  * 

*  memory  manager  action.  ~  ~  - 

5{S  # 

**#  V*  v*.  .U  O#  %V  >*-  'f '  V#  ^  ll.  .1#  \  *  .1.  O.  sf.  *1.  %V  s*.  >v  '•>  .(*  V#  *'#  .<#  %>*  *>.  .f.  v**  ^  J#  JU  «<.  ^  ■!.  J.  I 
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SM  SWA?  IN  PROCEDURE  (  SEGMENT, NO  SHORT  INTEGER  ) 

RETURNS  (  SUCCESS  CCLE  BYTE  "5 


,  ****  NOTE:  REENTRANT  PROCEDURE  ****  ! 

!  SAVE  LOCAL  VARIABLES  O.m  STACK  TO  ENSURE  REENTRANT  ! 


LOCAL  INDEX  SHORT  INTEGER 
DPR  NO  SHORT  INTEGER 

ENTRY 

INDEX  :=  SEGMENT  NO  -  NF  OF  ESEGS 

KPTR  KSTPTR  ITC  GET, SEG  PTR  f  KST  SZG_Nu  ) 

IF  EPTR^LlNDEXl ,M  SEG  NO  =  NULL  SIG  TEEN 
SUCCESS  CODE  :=  SEGMENT  NOT  KNOWN 
ELSE 

IF  KPTn~  [INDEX]  .  I N  CORE  ^  TRUE  THEN 
SUCCESS, CODE  :=  SUCCEEDED 
ELSE 

EPTR  :=  <*KPTR"riNLEX]  .MM  RANDLE 
DBR  NO  :=  TC_GST  LRR  NO 

SUCCESS  CODE  :=  MM'SWA?  IN  ;  HPTR ,  DPR  No, 

XPTR'~t  INDEX!  .ACCESS  MCDZ  ) 
CONFINEMENT  CHECK  (SUCCESS  CODE' 

I?  SUCCESS  CODE  -  SUCCEEDED  TEEN 
KPTR~  [INDEX] . IN  CCRZ  :=1RUZ 
FI 
FI 
FI 

RETURN  -•»  •■•■  -  -  - 

END  SM  SWAP  IN 
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5M  S’* A?  OUT  PROCEDURE .  INVOKED  BY  SUPEKVISCF. 
PROCEDURE  VIA  THE  SATE  KEEPER .  CHECKS  TO  SEE  I 
SEGMENT  KNOWN;  IE  YES  TEEN  MM  SWA?  CUT  IS  CALL 
EOF.  MEMORY  MANAGER  ACTION. 


v¥v^V5l'»l'T:  v  -r  n*  ^  *[c  :r  *r  5jj  5|*  ill  sjt  >js  a{c  s|l  5^C  5j*  s{c  5{s  s{5  5js  Jjs  5^  »lc  >ic  Jp  Jjs  5j£  5,1 5{c  3^  5jj  #js  sjj  ;js  Si£  ij*  ;js  3{c  5p  Tjs 


SM  SWAP  OUT  PROCEDURE  {  SEGMENT. NO  SHORT  INTEGER  ) 
RETURNS  (  SUCCESS_CODE  BYTE  } 

!  *#**  NOTE:  REENTRANT  PROCEDURE  ***#  ! 

!  SAVE  LOCAL  VARIABLES  ON  STACK  TO  ENSURE  REENTRANT  ! 

LOCAL  INLEX  SHOn-T  ‘  .EGER 
DBR.NO  SHORTl INTEGER 

ENTRY 

’’INDEX  :=  SEGMENT  NO  -  NR_C?  KSZGS 
KPTR  :•=  SSTPTR  ITC  GET_SEG  PTE  ■  K3T  SEC-  NO  '• 

I?  KPTR''  [INDEX]  .M  SES_  NO  =_NULL  SEG'TEEN 
SUCCESS  CODE  :=  SEGMENT, NOT, KNOWN 
ELSE 

IF  KPTR"  [INDEX]  .IN  CORE  -  FALSE  TnZN 
SUCCESS  COLE  :=  SUCCEEDED 
ELSE 

HPTR  :  -  *X?T?.~  [I  MDEX]  .MM  HANDLE 
DER  NO  :=  TC  GET  DPR  NX 

SUCCESS  CODS'  :=  MM-  SWAP  OUT  {  ^BR  NO, HPTR 
CONFINEMENT  CHECK  ( SUCCESS  CODE  : 

IF  SUCCESS  CODE  =  SUCCEEDED  THEN 
KPTR'' [INDEX]  .IN  CORE  :=  FALSE 
FI 
FI 
FI 

0  7TTP  M 

ENL  SM_SWAP_CUT 


lie 


r*1  M 


* 

* 

A 


CONFINEMENT  CHECK  PROCEDURE.  SERVICE  PROCEDURE  TO 
ENSURE  NC  SECURITY  VIOLATION  OCCURS  '•'HEN  INFO  IS 
PASSED  OUT  OF  THE  KERNEL  VIA  TEE  SUCCEoS.CODS. 
CALLS  ASSEMBLY  PROCEDURE  -  MONITOR  -EIC5  IS  TO 
CAUSE  A  JUMP  TC  TEE  MONITOR'S  ADDRESS  %i£c9h. 


sV  J.  k  *.  k,1.  ij.  %V  k*.  S#  '#  *V  V*  ^  k'.  S.  *'#  *V  O.  Uf  »*.  'V  ,V  .1#  k>.  »*.  s'.  »Jtf  kU  kt.  k*.  k1.  k*.  O.  k*#  kl«  k*.  k*.  J.  s',  -s'.  k>#  s1.  s'k  J. 
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CONFINEMENT. C5ECK  PRC CE EURE  ( SUCCESS. CODE  E YTZ / 


!  ****  NOTE:  REENTRANT  PROCEDURE  #**#  ! 

!  SAVE  LOCAL  VARIABLES  ON  STACK  TO  ENSURE  REENTRANT  ! 


ENTRY 

I?  SUCCESS.CODZ 

CASE  LEAE  SEG  EXISTS  TcIN 
MONITOR  ! EX  IT  SYSTEM! 

CASE  NO  LEAF  EXISTS  THEN 
MONITOR  ! EX  IT  SYSTEM! 

CASE  ALIAS  DOES  NOT  EXIST  THEM 
MONITOR  ! EX  IT  SYSTEM! 

CASE  NC  CHIDD  TC  DELETE  TEEN 
MONITOR  !EXIT  SYSTEM ! 

CASS  0  AST  FULL  THEN 
MONITOR  ! EX  IT  SYSTEM! 

CASE  L  AS T_ FULL  THEN 
MONITOR  ! EX  IT  SYSTEM  ! 

CASE  LCCA1  MEMORY  FULL  TEEN 
MONITOR  ! EX  I T  SYSTEM! 

CASS  GLOBAL .MEMORY  FULL  THEN 
MONITOR  ! EX  1 1  SYSTEM! 

CASS  SEC .5 TOR  FULL  THEN 
MONITOR  'EXIT  SYSTEM! 

FI 

RETURN 

END  CONFINEMENT  CEECK 
END  SEGVENT  MANAGER 
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APPENDIX  C  -  DISTRIBUTED  MEMORY  NANA^Zn  PLZ/  SYS  LISTINGS 


LIST  MMGR  MODULE 


CONSTANT 

CHEAT i  ENTRY  COLE 

delete'zntry'code 

ACTIVATE  SEG'CODE 
DEACTIVATE  SEG  COLE 
SWA?  IN_S  EG_  CODE 
SWAP'OUT  SEG  CODE 
NO  OF  PROCESSORS 
MAX  NO_XST  ENTRIES 
MAX  SEG  SIZE 
MAX_DER_NC 
NR  07_XSEG5 
XST  SEG  NO 


TYPE 

H_ ARRAY  ARRAY  [3  WORD] 

COM  ..MSG  ARRAY  fie  BYTE] 

CREATE  MSG  RECORD  [CREATE  COLE  WORE 

CE  MM  HANDLE  H  ARRAY 
CE"ENTRY  NO  SHORT  INTEGER 
CE  FILLER  BYTE 

ce“size  word 

CE..  CLASS  LONG] 

DELETE  MSG  RECORD  [DILZTI.COLZ  WCRD 

DE  MM  HANDLE  H_ARRAY 
DE 'ENTRY  NO  SHORT  INTEGER 
DZ..FIILZR  ARRAY!?  EYTEj] 

ACTIVATE  MSG  RECORD  [ACTIVATE  CODE  WORD 

A.  DRR  NO  SHORT  INTEGER 

A  FILLER1  EYTE 

A  MM  HANDLE  E  ARRAY 

A  ENTRY  NO  SHORT  INTEGER 

A' SEGMENT  NO  SHCxiT"  I  NTEGER 
A>ILLER2  LONG]" 

DEACTIVATE  MSG  RECORD  [DEACTIVATE  CODE  WORD 

D  DPR  NO  SF.CED  INTEGER 

D_IILLER1  BYTE 

D  MM  HANDLE  H  ARRAY 

L  FILLERS  ARRAY  [3  WORE]] 


;=  5E 


54 


=  £5 
■  1 
=  ?? 
=  ?? 
=  4 
=  ?? 
=  ?? 
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SWAP.  IS  MS 3 

RECORD  [SWAP  IS  CODE  WORD 

SI  MM  HANDLE  E  ARRAY 

SI  DPR  NO  SHORT  INTEGER 

SI  ACCESS  ALTE  RYTE 

S  I. FILLER  ARRAY  [3  WCRrl] 

SWAP.OUT.MSG 

RECORD  [SWAP  OUT  CODE  WOPD 

SO  DPR  NO  SHORT  INTEGER 

SO  FILLZE1  RYTE 

SO  MM  HANDLE  E  ARRAY 

SO  FILLZR2  ARRAY  [3  WORD]] 

R.SUC.CCDE 

RECORD  [SUC  COLE 

SC  FILLER 

] 

RYTE 

ARRAY [15  RYTE] 

R.ACTIVATE.ARG 

RECORD  [R  SUC  CODE 

r’filler 

R  MM  HANDLE 
R 'CLASS 

R_3  IZS 

RYTE 

RYTE 

E  ARRAY 

LONG 

WORD] 

CE.PTR 

"'CREATE. MSG 

LE.PTR 

~DELETI_MSG 

A_?TR 

■'ACTIVATE.  MSG 

D_  PTR 

~DSACTIVATE_MSG 

3  I. PTE 

~SWAP.IN.MSG 

SO_PTR 

"'SWAP. OUT  MSG 

SC_PTR 

■'R.SUC.CODE 

arg.ptr 

■'R.ACTIVATE.ARG 

SST.REC 

RECORD  [  MM  HANDLE 
SIZE 

ACCESS  MODE 

IN  CORE 

CLASS 

M  SEG  NC 

ENTRY. NUM3ER 

H  ARRAY 

WORD 

RYTE 

BYTE 

LONG 

SECRT  INTEGER 
SHORT .INTEGER  ] 

SST 

ARRAY  [  MAA  NO  EST 

.ENTRIES  EST.REC 
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So T PTH 

~XST 

ADDRESS 

WORD 

SEG_DESC_RSG 

RECORD  [BASE  AIDE  ADDRESS 

LIMIT  BYTE 

ATTRIBUTE  BYTE] 

mmu 

RECCED  [SDR  ARRAY  [NC_  SEG  _  DESC^RZG 

SEG  DZSC  REG] 
BLSS  USED  WG  ?. D 

MAX_BLES  WORD] 

mm_v?_id 

WORD 

SEG..  ARRAY 

ARRAY  [MAX  5EG_ S  IZE  BYTE] 

S  EG  FTP. 

SEG  ARRAY 

!AI 

MM_  CPU  TABLE 

ARRAY  [NO  .  OE..  PROCESSORS  MM.V?_ID] 

AL 

MMU._  IMAGE 

ARRAY  [MAX..  DBR_NO  MM'J] 

G_ AST_L0CS 

BYTE 

K_  LOCK 

PROCEDURE 

K_:J  NLO  CK 

PROCEDURE 

ITC. GET_C?C  NO 

PROCEDURE 

SIGNAL 

PROCEDURE 

W  AIT 

PROCEDURE 
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.u  hi#  h*.  »_1  #  J.  Jj  h1*  <1/  ,</  *.‘#  *'*  *U  «■•  hi#  **/  «1#  h*#  hi#  -'*  v*#  hi#  h'#  hi#  h<#  h>*  hi#  h<#  O#  hi#  hi#  hi#  hi#  hi#  hi#  •'#  hi#  h‘*  hi*  h-#  hi*  h I#  hi#  hi*  hi#  h<*  hi 

V  v  #|.  »r  »i*  #»~  *i-  v  <i-  #i*  *i'  #,*  Ji*#i*«i*#r  'i*  'i'  *»*  v  'i*  *»•  'i'  *i'  n*  v  n*  v  v  *i»  v  -i-  v  v  «»*  v  v  *»*  *i»  *i*  *r  *>«  '»•  *.*  »r  »i'  '<*  »>»  *r  *ix  *v  ».*  n*  »i 

* 

*  M.K  CREATI  ENTRY  PROCEDURE.  I NVOEED  BY  SEGMENT 

*  manager's  create  segment  procedure,  perfcrms  type 

*  CONVERSION  OF  WINTERS  ,  LOADS  MESSAGE  ARRAY  FOR 

*  IRC,  AND  PERFCRMS  IPC  'x  ITE  MEMORY  MANAGER  PROCESS. 

*  RETURNS  SUCCESS  CODE. 


v'r  'J*  *«*  *{S  #Jj  #[C  5,1 5[l  5jh  JjJ  V  J|!  #Jf  #Ji  #jS  #J?  v  #J«  V  v  V  v  v  vir  v  V  *!•  'r  V  ¥  V  *1*  *r  'i~  'p  v  V  v  'i*  V  V  t  V  v 


MM  CREATE  ENTRY  PROCEDURE  (  HPTR  'H_ ARRAY 

ENTRY  NO  SHORT  INTEGE 

SIZE  A CRD 

CLASS  LONG  ) 

RETURNS  (  SUCCESS  _  CODE  BYTE  ) 

J  ****  NOTE:  REENTRANT  PROCEDURE  ****  ! 

!  SAVE  LOCAL  VARIABLES  ON  STACK  TO  ENSURE  REENTRANT  ! 

LOCAI  CE  MSG?  TP.  CE_PTE 

COM  M3G2UF  COM  MSG 
COM'MSGPTR  ''COM  i'ISG 
5UC~  CCD2_PTr.  SC..  PTE 

ENTRY 

COM  MSGPTR  :«  *C0M  MSGR'U? 

!  TYPE  CCNVEPT  TO  OVERLAY  ARGUMENT  LIST  CNTC  MSG  LIST 
CE  MSGPTR  :=  CE_PTF.  COM  MSGPTR 

!  LOAD  ARG  LIST  ONTO  MSG  ARRAY  ! 

CE  MSGPTR'. CHEAT?  CODE  :=  CREATE_ ENTRY  COLE 
CS~MSGPTR.”'.CS  MM  HANDLE  [3]  :=  H?TR~[?]* 

CeImSGPTR'.CE  MM_HANDLS[1]  :=  HPTR'' fi] 

CE  MSGPTR'. CE_MM_HANDLE L2]  :  =  EPTE  12] 

CE  MSGPTR'. CS_ENTRY_NO  :=  ENTRY  NO 
CE  MSG?TR'.CE  CLASS  :=  CLASS 
CE"M5GPTR'.CE"SIZE  :=  SIZE 
PERFORM  IPC  (COM  MSGPTR) 

I  TYPE  CONVERT  TO  OVERLAY  MSG  ARRAY  ONTO  RET  VRG  LIST 
SUC  CODE_PTR  :=  SC  PTR  COM  MSGPTR 
SUCCESS  CODE  :=  SUC  CODE  PTP.'.SUC  CODE 
RETURN 

END  KM  CREATE  ENTRY 
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tV*  V*  V*  J#  "V  s'/  '*«  *'#  >V  %**  *1*  »*j  O -  *’j  xf*  *1#  '•**  V*  *U  .•*  »'<  O*  »*#  -  r»  .**  V#  V*  J.  J«  k>#  .'#  ■!«  .1,  %i,  ,  ,1.  k>«  .<>  k>«  kL  fci- 

v  "V*  »i»  *•«■*  *r  t  'i'  'v  v  *i*  *i'  'i*  *1*  »,»  -i*  <i*  *»*  »i»  *i«  v  *>*  *»»  'i-  'i«  'i-  v  v  'r  n*  v  *i»  v  •>'  v  *i*  *p  v  •(*  'r  *»•  v  *,»  nl  -i-  «r>  r,»  «,*  *,. »,»  .,.  »,*  .JS 


MM  DSLETS-ENTRY  PROCEDURE .  INVOKED  RY  SEGMENT 
MANAGER'S  DELETE  SEGMENT  PROCEDURE.  PERFORMS  TYPE 
CONVERSION  OF  POINTERS,  LOADS  MESSAGE  ARRAY  FOR 
IPC,  AND  PERFORMS  IPC  'aITH  MEMORY  MANAGER  PROCESS, 
RETURNS  SUCCESS  CODS. 


5**  Vf  k1.  V*  J.  k1*  V-  V*  V.  %•*  .*#  J#  V*  k>.  V*  Vf  V.  . ■-*  V.  V.  k*.  .*•  Vf  *'•  V*  k*.  J.  V*  V.  k'.  »'*  k1.  k1 .  J>  k1.  «>.  k1.  .I.  .1.  .1.  J.  O#  kr.  v»*  «'«  k1.  V.  J.  | 

n’  *»*•  'i*  'i"  »i-  *v*  ?i*  t  n*  A*  v  *•*  *r*  *1*  V  *p  »,*  v  *»»  5,*  *i«  <r*  *•  *i*  *t*  **«  »>*  *i*  v  v  »i«  *i~  *i»  <,•  »i*  7,*  *p  »|*  »(•  *,»  «|k  5J,  «,«  *,»  »,»  »p  *,*  »,»  <(k  j 
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MM  DSLETE_ENTRY  PROCEDURE  (  EPTR  "E  ARRAY 

ENTRY_NC  SHORT  INTEGER  ) 

RETURNS  (  SUCCESS _ CODE  RYTE  ) 

!  *#**  NOTE:  REENTRANT  PROCEDURE  ****  ! 

!  SAVE  LOCAL  VARIABLES  ON  STACK  TC  ENSURE  REENTRANT  ! 

LOCAL  DE  MSGPTR  DS_?TR 
C CM  msgeuf  com  MSG 
COM~MSGPTF.  "COM  MSG 
SUC_CODE..PTR  SC..PTR 

ENTRY 

COM  MSGPTR  :=  *C0M  MSGBuF 

!  TYPE  CONVERSION  TO  OVERLAY  ARC-  LIST  ONTO  MSG  ARRAY  ! 
LI  VSGPTR  :=  LE  PTE  COM  MSGPTR 
!  *  OAD  AEG  L 1ST- ONTO  MSG  ARRAY  ! 

DE  MSGPTR". DELETE  CODE  :=  DELETE  ENTRY  CODE 
DE  MiSGPTR"  .L?_MM  HANDLE  10]  :=  k?TE"U]’ 

DE  MSGPTR". DS_MM’HANDLE[1]  :=  E?TR"[l] 

DE  MSGPTR". DE  MM~HANDLS  [2]  :=  H?TR"[2] 

DE  MSGPTR". DE  ENTRY  NO  :=  ENTRY  NO 
PERFORM  IPC  (COM  MSGPTR) 

!  TYPE  CONVERT  TO  OVERLAY  MSG  ARRAY  ONTO  AEG  LIST  ! 

SUC  CODZ_?TR  :=  SC  PTR  COM  MSGPTR 
SUCCESS  CODE  :=  SUC  CODZ_  PTP."  .SUC  CODE 
RETURN 

END  MM  DELETE  ENTRY 


(>'*  »*'  V'  •*?  5'*  *v  »v  »**  «i<  »v  »u  «v»  »i*  >i>  »>»  »u  »'»  ,u  »'<  *•»  »v  >'«  *>«  »•»  »•#  »V  *'»  «*»  «■<  ••#  >v  V#  »•»  *V  »v  «•<  J»  *'»  >v  «*«  V*  »*»  *'« 

•l’  V  *(•  V  l*  *i*  V  V  •»»  *i»  <V  •,»  *i«  •!»  *|*  *i«  V  »i«  *|»  *|»  »|»  V  »,»  V  »i*  *|*  »|*  *i»  »,»  #,»  *|»  v  *!"•  V  *|»  *,*  #|*  •»,»  «|»  *(»  #,•  #)•  /,<i  »|» 


*  MM  ACTIVATE  PROCEDURE.  INVOKED  BY  SEGMENT  MANA- 

*  GSR'S  MAKE  KNOWN  PROCEDURE.  PERFORMS  TYPE  CONVERSION 

*  OF  POINTERS,  LOADS  MESSAGE  ARRAY  FOR  IPC,  AND  UP- 

*  DATES  MM_ HANDLE  ENTRY  IN  1ST  AFTER  PERFORMING  THE 

*  IPC.  RETURNS  SUCCESS_ COLE ,  CLASS,  AND  SIZE. 


vu  J.  -,u  ,v  -.v  »«-  -J*  4.  ,«*  «u  %•*  j,  *•»  a#  .•*  su  *V  .i 

r*  *r  v  v  'i*  »r  v  ¥  v  '(•'i'tt'i'tvw  *i*  **•  vi'T'r  W  "*•  V  r*  '»*  i*  'i*  'r 


sj:  ###;! 


MM  ACTIVATE  PROCEDURE  (  DIR  NO  SHORT  INTEGER 

HPTR  "S  ARRAY 

ENTRY  NO  SHORT  INTEGER 

SEGMENT  NC  SHORT  INTEGER  , 

RETURNS  (  SUCCESS" CODS  BYTE 
CLASS  "  LONG 

SIZE  WORD  ) 

J  ****  NOTE:  REENTRANT  PROCEDURE  ****  ! 

!  SAVE  LOCAL  VARIABLES  ON  STACK  TO  ENSURE  REENTRANT  ! 


LOCAL  A  MSGPTR  A  PTE 

COM_M5GBUF  C3M_MSG 
COM_ MSGPTR  "'COM  MSG 
RET_ARG?TR  ARGPTR 
KPTR  KSTPTR 

INDEX  SHORT  INTEGER 

ENTRY 

COM  MSGPTR  :=  #C0M  MSG3UF 

!  TYPE  CONVERT  TO  OVERLAY  ARG  LIST  ONTO  MSG  ARRAY  ! 

A  MSGPTR  :=  A_  PTR  COM  MSGPTR 
!  LOAD  ARG  LIST  ONTO  MSG  ARRAY  ! 

A  MSGPTR'". ACTIVATE  CODE  :=  ACTIVATE  SSG_C0Di 
A  MSGPTR". A  LPR  NO  :=  BBE  NC 
A  MSGPTR". A_MM  HANDLE  [0]  :  =  HPTR"[«j] 

A  MSGPTR". A  MM  HANDLE  [1]  :=  HPTR"  Tl] 

A  MSGPTR" .A_MM  ' HANDLE [2]  :=  HPTR"  [2] 

A  MSGPTR". A  ENTRY  NO  :=  ENTRY  NO 
A  MSGPTR". A  SEGMENT  NO  :=  SEGMENT  NO 
PERFORM  IPC  (COM  MSGPTR) 

!  TYPE  CONVERT  TO  OVERLAY  MSG  ARRAY  ONTO  RET  ARC  LIST 

RET  ARGPTR  :=  ARG  PTR  COM  MS'GPTR 

SUCCE5S_CCDE  :=  RET  ARGPTR". R  SUC  COLE 

CLASS  :=  RET  ARGPTR". R  CLASS 

SIZE  :=  RET  ARGPTR". R  SIZE 

INDEX  :=  SEGMENTING  -  NR  CF.KSEGS 

!  RETRIEVE  HANDLE  AND  UPDATE  KST  ! 

KPTR  :=  KSTPTR  MM  GST  KSEG  PTR  (  SEG_NO  ) 

E PTR  :=  #KPTR" [INDEX]  .Mv  HANDLE 
HPTR."  [o]  :=  RET_  ARGPTR". R  MM_HANDLE  [0] 

EPTR"[l]  :=  RET  ARGPTR".  R  MM_nANDLE  [l] 

H?TR"[2]  :=  R ZT_ ARGPTR" . R  MM  HANDLE [2] 

RETURN 

END  MM  ACTIVATE 
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*  MM  DEACTIVATE  PROCEDURE.  INVOKED  3Y  SEG  MGR 'S 

*  DEACTIVATE  PROCEDURE.  PERFORMS  TYPE  CONVERSION 

*  OF  POINTERS,  LOADS  MESSAGE  ARRAY  FOR  IPC,  AND  PER- 

*  FORMS  IPC.  RETURNS  5UCCSSS_ CODE  . 

Jr 


^**p  vn* V  V *»•  ^JS  jJj >Ji  Jjc  jJj 5{»  ^ *!*  V  n* V  V  *{» J|»  «{C  jjl  Sjt  »|«  5j5  5jc )Jt  >J?  Jji Sjc ${% 5{C  5|? Jjl  JjC 5$*  >J*  *JC  ?}* 3j*  5|i  ?Jt  5j»  V  v  V  *!» 


MM  DEACTIVATE  PROCEDURE  (  DRR  NO  SHORT  INTEGER 

fc?TR~  "E  ARRAY  ) 

RETURNS  (  SUCCESS _C ODE  3YTE  ) 

i  ****  NOTE:  REENTRANT  PROCEDURE  ****  ! 

!  SAVE  LOCAL  VARIABLES  ON  STACK  TC  ENSURE  REENTRANT  ! 

LOCAL  D  MSGPTR  D_?TR 

COM_MSGEUF  COM  MSG 
COM  MSGPTR  "C0M_M3G 
SUC_C0DE„?TR  SC..PTR 

ENTRY 

COM  MSGPTR  :=  *C0M  MSGBUF 

!  TYPE  CONVERT  TO  OVERLAY  ARG  LIST  ONTO  MSG  ARRAY  ! 

D  MSGPTR  :=  L  PlR  COM  MSGPTR 
!  LOAD  ARG  LIST  ONTO  MSG  ARRAY  ! 

D  MSGPTR". DEACTIVATE  CODE  :=  DEACTIVATE  SEG  CODS 
D  MSGPTR". D  DBR  NO  :=  DBR  NC 
D  MSGPTR". DIMM  HANDLE  [a]  :  -  HPTP."[Z] 

D  MSG?TR".D  MM  HANDLE  [l]  :=  H?T?."[l] 

D  MSGPTR". v  M,M  HANDLE  [2]  :=  EPTR"  [2] 

PERFORM  IPC  (COM_MSG?TR) 

!  TYPE  CONVERT  TO  OVERLAY  MSG  ARRAY  ONTO  RET  ARG  LIST 
SUC  CODS  PTR  :=  SC  i'TH  COM  MiSGPTR 
SUCCESS  CODE  :=  SUC  CODE  PTR"  .SUC  CODE 
RETURN 

END  MM  DEACTIVATE 
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MM  SWAP  IN  PROCEDURE .  INVOKED  3Y  SEGMENT  MANAGER'S 
SM~SWAP_  IN  PROCEDURE.  PERFORMS  TYPE  CONVERS 10 >1  OE 
POINTERS,  LOADS  MESSAGE  ARRAY  FOR  IPC,  AND  PERFORMS 
I?C.  RETURNS  SUCCESS  CODE. 


^  v  t  *r  v  'i*  v  *1*  *i*  v  V  ^1"  P,C  ^  jj<  jjc  )j;  ijc  jjj  Jjl  i[l  5jC  Jjc  v  J{^  v  »!•  5{s  Jjc  sjf  i{C2{J  3{S  Jjc  5js  3{J  jJj  j{?  Sji 


MM_SWA?_  IN 


PROCEDURE  (  DPR  NO 
LPTR 

ACCESS  MODE 

RETURNS  (  SUCCESS  CODS 


SHORT..  INTEGER 
”E  ARRAY 
BYTE  ) 

BYTE  ) 


!  ****  NOTE:  REENTRANT  PROCEDURE  ****  ! 

!  SAVE  DOCAL  VARIABLES  ON  STACY  TO  ENSURE  REENTRANT  1 
LOCAL  31  MSGPTR  SI  ?TR 
COM  MSGEUF  COM  MSG 
COM~MSGPTR  ''COM  MSG 
SUC~CGDE  PTR  SC  PTR 


ENTRY 

COM  MSGPTR  :=  #COM_MSGBUF 

!  TYPE  CONVERT  TO  OVERLAY  ARG  LIST  ONTO  MSG  ARRAY  ! 

SI  MSGPTR  :=  SI  PTR  COM  MSGPTR 
!  LOAD  ARG  LIST  ONTO  MSG  ARRAY  ! 

SI  MSGPTR''. SWAP  IN_COLE  :=  SWAP  IN  3EG  COLE 
SI~M3GPTK''.SI  MM  HANDLE  [0]  :=  HPTP.’'[o]' 

S  I_MSGPTR”.S  I  MM  HANDLE  [l]  :=  HPTR''[l] 

SI  MSGPTR” .S  I  MM.  HANDLE [2]  :=  HPTR”  [2] 

S I "MSGPTR ”.S  I~  DR?.  NO  :=  D3R  NO 
S I "MSGPTR ”.S I  ACCESS  AUTE  :  =  ACCESS  MODE 
PERFORM.  IPC  (COM  MSGPTR; 

!  TYPE  CONVERT  TO  OVERLAY  MSG  AFRAY  ONTO  RET  ARG  LIST 
sue  CODE  PTR  :=  SC  PTR  COM  MSGPTR 
SUCCESS_CCDZ  :=  SUC.CODZ  PTR~.SUC  CODE 
RETURN 

END  MM  SWAP  IN 
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MM  SWA?  OUT  PROCEDURE.  INVOKED  BY  SEGMENT  MANAGER'S  * 
SM'SWAP  OUT  PROCEDURE.  PERFORMS  TYPE  CONVERSION  OF  # 
POINTERS,  LOADS  MESSAGE  ARRAY  ECR  IPC ,  AND  PERFORMS  * 
I  PC.  RETURNS  SUCCESS  CODS.  * 


MM  SWAP  OUT  PROCEDURE  (  HPTR  ~n  ARRAY 

ACCESS  MODE  BYTE  ) 

RETURNS  (  SUCCESS_  CCDS  EYTE  j 

!  *#**  NOTE:  REENTRANT  PROCEDURE  ****  ! 

!  SAVE  LOCAL  VARIABLES  ON  STACK  TO  ENSURE  REENTRANT  ! 

LOCAL  SO  MSGPTR  SO  PTP 
COM  MSGBUF  COM  MSG 
COM* MSG? 'IP.  "COM  M.SG 

SUC'CODE_?TP.  SC.PTP. 

ENTRY 

COM  MSGPTR  :=  *  COM  MSGEUE 

!  TYPE  CONVERT  TO  0.VEF.LAY  ARG  LIST  ONTO  MSG  A  «~AY  ! 

SO  MSGPTR  :=  SO  ?TR  COM  MSGPTR 
!  LOAD  ARG  LI  ST' ONTO  MSG  ARRAY  ! 

SO  KSGPTP.''. SWA?  OUT  CODE  :=  SWAP  OUT  52G  CODE 
SO'MSG?TR~.SO  MM  HANDLE [2]  :=  E?TR~!>] 

SC>SG?TR~.SO  MM  HANDLE  [11  :=  LPTR"[l] 

S0~MSGPTR~.50  MM  aA.\DLEL2]  :  =  EPTHUJ 
SO  MSGPTR''. SO  D3R  NO  :=  DBR  NO 
PERFORM  IPC  ( CCM:  MSGPTR! 

!  TYPE  CONVERT  TO  OVERLAY  MSG  ARRAY  ONTO  RET  ARG  LIST  ! 
sue  CODE  PTR  :=  SC_?T.R  COM  MSGPTR 
SUCCESS  CODE  :=  SUC  CODE  PIR~.SUC  CODE 
RETURN 

END  MM  SWA?  OUT 
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*  MM  GET  D3R_ VALUE .  SERVICE  ROUTINE  TEAT  RETRIEVES 
-  TEE  DBR  "VALUE"  (IE  ADDRESS )  BASED  UPON  A  DBR_  MO . 


j|t  3J:  *  s>c  #  $  $  &  $  $  j'.t  $  if #  #  i?  >1:  :;=  J|!  #  *  J|:  if  *f  if  ^  -,'•  *f  -,=  Sr  I 


MM  GET  DIR  VALUE  PROCEDURE  ( D3R  NO  SHORT  INTEGER) 

RETURNS  iDER’VALUE  ADDRESS/ 

,  ****  NOTE:  REENTRANT  PROCEDURE  ****  ! 

!  SAVE  LOCAL  VARIABLES  ON  STACK  TO  ENSURE  REENTRANT  ! 

ENTRY 

DBR. VALUE  :=  #MMU_ IMAGE  [0BR_NQ] 

RETURN 

END  MM_GET,D3R_ VALUE 
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*  PERFORM, IPC  PROCEDURE.  INVOKED  BY  DISTRIBUTED 

*  MEMORY  MANAGER  PROCEDURES.  DETERMINES  CURRENT 

*  MEMORY  MANAGER'S  V?  ID,  LOCKS  C-  AST,  PERFORMS 

*  IPC  VIA  SIGNAL  AND  YAIT  PRIMITIVES,  AND  UNLOCKS 

*  THE  G  AST . 


$  -.;s  s[s  it  if  s;s  if  it  if  $  *  #  i)c  if  if  *  #  #  s*  $  s;s  #  »:*  if  s] 


PERFORM  IPC 


PROCEDURE  ( C CM  MS3PIR 


'CC* 


;oG; 


!  ^ * # #  MOTE:  REENTRANT 

!  SAVE  LOCAL  VARIABLES  ON 


PROCEDURE  ****  ! 

STACK  TO  ENSURE  REENTRANT  ! 


LOCAL  MMG-R.  VP_  ID 

ENTRY 

!  DETERMINE  MMGR  V?  ID  ! 

CPU  NO  :=  ITC  GET  CPU  NO 

MMGR  VP  ID  :=  MM  CPU  TABLE  [CPU  NO] 

K  LOCK  ( #G  AST  LOCK) 

!  IPC  WITH  MEMORY  MANAGER  PROCESS  ! 
SIGNAL  (  COM  MSGPTR,  MMGR_ 7?  ID  ) 
WAIT  (  COM  M.SGPTR  ) 

K  UNLOCK  (#G  AST  LOCK  ) 

RETURN 

END  PERFORM, IPC 
END  DIST  MMGR 
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APPENDIX  E  -  NON-DISCRETION ARY  SECURITY  PL2/SY3  LISTINGS 


N2S  MODULE 


CONSTANT 


TYPE 


TRUE 

FALSE 


ACCESS  CLASS 


CPTR 


INTERNAL 


CLASS  1  PTR 
CLAS52_PT° 
CATS  P.EL 


RECORD  [  LEVEL  INTEGER 
CAT  INTEGER  1 
"ACCESS  CLASS 


C?TR 

CPTR 

INTEGER 


GLOBAL 


4e4c4c4c4c4c4«4c4c4c  4=  4«  *  *  *  4c  4« 4«  4!  *  4c  #  4c  Af  *  4c  4c  A' -f-  *  4«  4s  4c  4c  4:  At  *  #  4c  4c  4:  *  *  *  4 
4« 

*  CLASS  EQ  PROCEDURE.  INVOKED  BY  VARIOUS  KERNEL 

*  PROCEDURES.  COMPARES  TfcU  CLASSIFICATIONS  (LABELS) 

*  AND  DETERMINES  IF  THEIR  RELATIONSHIP  IS  EQUAL. 

*  RETURNS  A  TRUE /FALSE  CONDITION  CODE. 

4c 

45*4:  5*  V  V  v  4s  4c  4s  cjc  4c  4s  4c  4c  4c  4=  4;  4s  4s  4c  4c  4c  4s  4s  41 4c  4*  4s  4c  4c  4c  4s  4C  V  *5*  v  v  *jc  V  V  ^1*  *r  V  v  *!{  v  5r*r  V  *!*  J Js  5jS  »( 


CLASS  EQ  PROCEDURE  (  CLASS  1  LONG 

CLASS2  LONG  ) 

RETURNS  {  CON  EITI  CN'_ C CDE  BYTE  ’) 

ENTRY 

IF  CLASS1  =  CLASS 2  THEN 

COND ITION_  CODE  :=  TRUE 

ELSE 

CONDITION  CODE  :=  FALSE 
FI 

RETURN 
END  CLASS  EQ 


|  5,‘t  jJX  ij<  5|»  *T,"  5»*  *1*  5{5  »JS  5|*  3ji  'i*W  'i‘  '!•  >J*  W  v  v»kV5{'  **'  5l»  *,t  5^  SjS  ?J>  V  K5  !^t  ?,*  5,J  5^.  3^  v  V  *r 

*  * 

*  CLASS  GE  PRCCZEGRE.  CALLED  EY  VAR 10 15  KERNEL  * 

*  PROCEDURES.  COMPARES  TWO  CLASSIFICATIONS  ( CL AS 31  * 

*  AND  CLASS2 )  AND  DETERMINES  IF  LA3EL1  IS  GREATER  * 

*  TEAN  OR  EQUAL  TO  CLASS 2 .  RETURNS  TRUE/ FALSE  CONDI-  * 

*  TION  CODE.  * 


^  v  v  *<*  'I*  V  v  *»*  Sjt  2j?  v  »|*  v  V  »{•  v  •!'  V*  V  *<•  *r  V  v  'i“  v  v  v  V  v  *r  *fi  *!*  V  v  *i*  'J'  v  *t*  *p  W  V  »t*  W  v  ^ 


CLASS  GS  PROCEDURE  (  CLASS1  LONG 

CLASS2  LONG  ) 

RETURNS  (  CON LIT  I CN_ CODE  BYTE  j 

ENTRY 

!  TYPE  CONVERSION  TO  ALLOW  OPERATIONS  ON  THE  16  MOST  ! 

!  AND  16  LEAST  SIGNIFICANT  BITS  OF  EACH  CLASS.  THE  ! 

!  16  MS3ITS  ARE  THE  CLASS  LEVEL  AND  TEE  15  LS3ITS  ! 

!  ARE  TEE  CLASS  CATEGORY  (CAT).  ! 

CLASSl  PTR  :=  CPTR  #CLASSl 

CLA3S2~?TP.  :  =  CPTR  #CLASS2 

!  COMPARE  CATEGORIES  (SET  COMPARISON.;  SEE  IF  C ATP  ! 

!  IS  A  SUBSET  OF  CAT1.  ! 

CATS  REL  :=  CLASSl  PTR". CAT  OR  CLASS 2  PTR". CAT 
I?  CATS  REL  -  CLASSl  PTR". CAT  I  THEN  CAT 2  IS  SUBSET  ! 
ANDIF  CLASSl  PTR". LEVEL  >=  CLASS2  PTR". LEVEL  TEEN 
!  LEVEL  COMPARISON  IS  SIMPLE  NUMERICAL  COMPARISON  ! 
CONDITION  CODZ  :=  TRUE 

ELSE 

CONDITION  CODE  :=  FALSE 
FI 

RETURN 

END  f  LASS_GE 
END  NDS 
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APPENDIX  G  -  SUMMARY  OF  REFINEMENTS 

The  followine  new  procedures  were  added  to  the  Inner 
Traffic  Controller: 

(1)  ITC_GST_CPU_N0  procedure.  This  procedure  locates  and 
returns  the  current  C^U  number  (identification).  It  was  used 
in  segment  management  ty  the  distributed  memory  manager  to 
index  into  the  MM_C?TJ_TA5LE  to  find  the  memory  manager 
process  V?__ID  for  the  current  processor.  This  Y?_ID  was,  in 
turn,  used  as  an  argument  in  the  call  to  SIGNAL. 

(2)  ITC_GZT_SZG_PTE  procedure.  This  service  procedure 
uses  an  input  segment  number  to  search  the  MMU_  I MAGE  to  find 
the  base  address  (pointer)  for  that  segment.  It  was  usea  in 
segment  management  to  find  the  base  address  of  tne  segment 
used  in  a  process  for  its  KST. 

(3)  K_I0CE  and  K_TTNI0CX  procedures.  These  procedures 
were  implemented  to  indicate  the  intention  to  eventually 
have  a  kernel  wait-lock  system.  K_L0CK  simply  calls 
S PI N_LOCK  in  its  present  design. 

The  following  changes  were  made  to  the  Inner  Traffic 
Controller: 

(1)  The  provision  :or  a  "jump  table"  was  removed  when  a 
working  version  of  the  linker  was  introduced.  This  involved 
removing  the  constant  TC_FEFEMFT_KANELER  and  addins  an 
"external"  declaration  for  the  TC  PREEMPT  HANDLER  Procedure. 
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(2)  Minor  changes  were  necessary  in  three  procedures  to 
no&ify  the  message  size  from  one  word  to  a  sixteen  tyte 
array  (minor  changes  were  also  needed  in  the  declaration 
section).  The  procedures  effected  were:  ENTEF:__MSG-_LIST  . 
GST_?IHST_MSG,  and  WAIT.  The  changes  are  documented  ir.  the 
code  for  each  procedure. 

The  following  procedures  were  added  to  the  Traffic 
Controller : 

(l)  TC_GZm_?*?OC_CIASS  Procedure.  This  procedure  locates 
and  returns  the  current  process's  classifi cation  (i.e..  it 
retrieves  the  SAC  entry  from  the  APT).  It  was  used  in 
segment  management  to  retrieve  the  ??.CC_CLASS  for  the 
Segment  Manager. 

(3)  TC_GST_DBE_;,0  Procedure.  This  procedure  returns  the 
current  DB?_.\lO  value  from  the  APT.  The  Segment  Manager  used 
this  procedure  to  ottain  the  D5?._f.C  to  pass  to  the  memory 
manager . 

The  version  of  the  Traffic  Controller  shown  in  Appendix 
P  is  a  "stut"  of  Eeitz'  [9]  actual  work.  This  stut  contains 
the  elements  of  tne  TC  Module  needed  for  proper  operation  cf 
the  segment  management  demonstration. 
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APFSNII7  H  -  SEGMENT  h.ANAGEPZNT  DEMONSTRATION 


A.  DESCRIPTION 

The  3eg_Mgr.Dem.o ,  as  stated  before,  is  built  onto  Reitz' 
Sync. Demo  (wnich  was  design°d  for  a  different  purpose  than 
segment  management,  obviously).  The  functions  illustrated  by 
the  present  demonstration  are:  (1)  virtual  processor 
synch ronization  and  (2)  segment  management  function 
performance.  The  listings  of  the  modules  involved  are  in 
appendices  A-F  and  I.  It  is  suggested  that  the  ASM  versions 
be  used  as  references?  PIZ/SYS  versions  served  as 
"pseudo-code’  during  detailed  design,  but  are  untested.  The 
narrative  discussion  of  tne  demonstration  context  and 
sequence  is  presented  below.  The  output  generated  at  each 
process  entry  point  will  Identify  the  signaller  in  each  case 
and  tne  acticn  the  current  process  takes.  The  following 
actions  are  illustrated  (viz.,  "simulated")  ir.  this 
demonstration.  Note  that  this  simulation  uses  tne  ITC 
SIGNAL/WAIT  primitives  instead  of  the  TC  ADVANCE /AVA IT 
primitives  that  are  not  yet  implemented. 

1.  An  I/C  interrupt  signals  the  10  process  that  a 
packet  from  tne  nost  is  ready.  The  10  process  is 
scneduled?  it  reads  tne  packet  (output:  "IC:  Receive 
Command")  and  signals  the  FM  process  (output:  ” I C : 
Signal  FM  (Create)"),  passing  the  command  (CREATE  is 
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simulated).  The  10  process  calls  Wait,  thus  blocking 
itself  while  waiting  for  a  signal  from  the  FM 

process . 

2.  The  FM  process  is  scheduled  ' output: 

”lO=Signaller" ) ;  it  interprets  the  comnand 
(simulated)  as  CREATE  and  thus  calls  CREATE_SEG  in 
the  Segment  Manager  (output:  "?M:  Call 

Kernel (Create) ") .  The  normal  input  arguments  for 
C?.EATE_SEG  are  passed  in  this  call. 

3.  CREATE_SEC-  validates  the  CREATE  request  and  then 

calls  MM_CREATE_En!TF.Y  in  tne  Distributed  Memory 

Manager . 

4.  MM_CF.EATE_ENTRY  signals  the  memory  manager 

process  (MM  process)  and  calls  WAIT,  thus  blocking 
itself  while  waiting  for  a  signal  from  the 

process . 

5.  The  MM  process  is  scheduled  (output: 

"Kernel^Signal ler  (for  FM)");  tne  mainline  code 
interprets  the  function  code  and  calls  the 
CfiEATE_SNTRY  procedure  for  action.  When  action  is 
complete  (output:  "MM:  CRSATE_ENTRY" ) ,  the  procedure 
returns  to  tne  mainline  code.  The  MM  process  signals 
the  return  success  code  in  a  message  to  the  FM 
process,  then  calls  WAIT  to  wait  for  the  next 
signal . 

6.  The  FM  process  is  scheduled  (output:  "Return  frcr 
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Kernel").  The  FM  process  Uien  signals  completion  of 
CREATE  to  the  10  process  and  calls  WAIT  (output: 
"FM :  Signal  10"). 

7.  The  10  process  is  scheduled  (output: 
"FM=S ignaller" ) .  It  signals  the  FM  process  to  cause 
a  "read"  to  occur,  i.e.,  the  same  pattern  as  in 
steps  b.  through  e.  occur  for  MAKE_KNOWN  and  SVAP_IN 
prior  to  the  FM  process  signalling  back  to  the  10 
process  that  the  "read"  was  corpleted.  This  "read" 
is  defined  strictly  for  this  test  and  is  rot 
equivalent  to  a  typical  ?.eai_File  packet. 

3.  The  10  process  will  tnen  he  again  scheduled  and 
will  perform  the  same  functions  as  did  the  FM 
process  (i.e.,  will  call  MA£3_EN0WN  and  SM_SVAP_IN 
sequentially)  for  the  same  segment . 

9.  The  10  process  will  again  he  scheduled  ana  will 
signal  the  FM  process  to  perform  the  sane  sequence 
as  described  ir.  g.  for  SM_S'VA.?_CUT  and  TERMINATE. 

12.  The  10  process  will  again  he  scheduled  and  will 
repeat  step  h.  with  SM_SWAP_OUT  and  TERMINATE. 

11.  The  10  process  will  again  be  scheduled  and  will 
cause  the  FM  process  to  repeat  steps  b.  through  e. 
to  delete  (DZLETE_SEG  called)  the  segment. 

12.  The  entire  loop  repeats  forever. 


I .  INITIALIZATION 

The  description  of  the  intialization  of  the  databases  is 
presented  in  figures  containing  the  appropriate  memory  data. 
Reference  to  the  previous  descriptions  cf  these  databases 
and  the  type  declarations  will  be  useful.  Figure  9  is  the 
initialized.  Active  Process  Table.  Figure  18  is  the 
initialized  Virtual  Processor  Table.  Figure  11  is  partial 
representation  of  tne  initialized  EST  for  tne  Ff'1  process 
(93CZ)  and  the  10  process  (9782).  Figure  12  is  partial 
representation  of  the  initialized  i“TU_IMAGE.  Figure  13  is 
partial  representation  of  the  initialized  process  staci 
segments.  Figure  14  is  the  corresponding  lini  comnand  line 
and  response,  and  the  Imager  command  line  and  response. 
Figure  15  is  the  load  command  lines  and  response,  and  the 
register  initializations.  Figure  16  is  the  output  (as 
displayed  on  the  CF.T  screen)  generated  by  the  demonstration. 
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